Clef and iThemes Security

Figured it out – can’t use the “Hide backend” function in iThemes. Disabling that allows Clef to work.

That being said, it would be great if there were a way to use that functionality with Clef.

@dma999999

Hi there,

Two things here: (a) the iThemes hide backend feature is compatible with the Clef plugin; (b) on the state parameter error, can I ask you to take a look at this guide: https://support.getclef.com/article/95-the-state-parameter-is-not-verified-error; it is likely that there is a caching issue involved. If you need assistance working through the suggestion on the guide, can you email [email protected] with the details of the site in question (e.g., the URL, the hosting provider, what your caching setup includes, etc.)

Thanks very much. The instructions were straightforward. Unfortunately, following the suggestions in the guide did not work when I turned on the hide backend feature and cleared all the caches. I’m on WPEngine and it’s only their caches I used, so I cleared both the one from within WP in their plugin, as well as the user portal. I tried clearing a couple of times after having reactivated the feature, but alas, same error message. There is no option in WPEngine to exclude wp-login from caching, at least none that I could find.

Unfortunately, I’m not a WPE customer at the moment, so I can’t test the following directly. However, based on this (https://wpengine.com/support/using-dev-tools/) . . .

Cache-Exclude Paths

This allows you to indicate which URL paths should never be cached. This is useful for eCommerce pages or special login pages.

. . . it looks like you might be able to request access from WPE to an extra Dev Tools kit. The Cache-Exclude Path is the tool you will need to use in order to exclude the re-named login page from WPE’s cache.

Alternatively, as a possible creative workaround, you could inquire what the rule pattern is for excluding the default login script (wp-login.php); then, if the pattern includes a wildcard like /wp-login.php*, you could set your renamed script to a name that would be included in the wildcard such as /wp-login.php?secret-login-page-name

UPDATE: I contacted WPE support, and the long and short is that (a) the Cache-Exclude-Paths tool is only for a subset of enterprise customers; (b) however, support will accommodate customer requests for excluding a custom login script URL from a WPE customer’s server cache, but doing so requires contacting support and requesting them to set up the exclusion rule.

I should mention one more WPE thing here too: staging sites in WPE accounts are not server-side cached (https://wpengine.com/support/staging/). So, if you test iThemes renamed login page + Clef on your staging environment, you should be able to verify that Clef logins are working in the non-cached environment. (Be sure to add the staging domain to your list of Application Domains in the Clef integration settings; see https://support.getclef.com/article/75-using-staging-urls-with-clef-s-wordpress-plugin).