FE user blocked when “Only Allow Local Logins” is active

@alfonsoborghi,

Thank you for reaching out for support. I am assuming FE user is “Front-End” user. Is this affecting the ‘administrator’ roles or only subscriber and other roles roles? The login form has to include a nonce which is generated by the WP Security Safe plugin. The nonce will be a hidden field that will be checked on every attempt to login. If the nonce has expired (24 hr expiration) or is missing, you will get that error in the logs.

The field will look something like this:
<input type=”hidden” id=”_wpnonce” name=”_wpnonce” value=”68515e239d”>

That value is a unique string that is generated for the purpose of logging in. The value changes for each user to verify that the user is indeed visiting the page before logging in.

How to troubleshoot:

1. Turn on the WP Security Safe local login feature and DO NOT LOG OUT.
2. Open up an incognito window in the browser and visit your login page, which will prompt you to login in that incognito session.
3. Right-click on the form, and inspect element or view the page source. You should find a field with the name of name=”_wpnonce” within the form. If it is not there, the login validation will fail.
4. If it is there, then the value is not coming through properly and failing due to it not matching.

Please try this and let me know what you discover. Be sure to stay logged in in the other session to prevent locking yourself out of the admin.

If you need help troubleshooting this, please add [email protected] as an administrative user and I can login and troubleshoot this for you. If you add me to your website as an administrator, please check the checkbox to notify the user when creating the account. Once this process is done, please delete my account.

– Steven

Hi, thank you for your fast reply.
I checked the wp-login.php and actually it works now.
The issue is that many FE users use another page to login:
“https://www.rotarymodena.it/?page_id=1666&#8221; a page generated by a “Login user page” template, wich has not the nonce hidden field.
So I simply need to add this hidden field to the template. I do not know why it was working before, anyway how do I get the nonce number to include in the form?.
Thank you very much

You can use the snippet of code below to generate the line of code you need.

<?php wp_nonce_field( ‘login-local-‘ . SECSAFE_SLUG ); ?>

The line of code must get placed within the boundaries of the <form></form> tags for the public login. This means that this code may not get the results you want if you cannot get the _nonce field within the tags. It depends on how that form is being created. If the form is being created by calling a WordPress function or another plugin, then please share that code with me and I will make WP Security Safe compatible with it.

Thanks,

-Steven

In the template, the login form is called by:

<?php wp_login_form( $args ); ?>

but this is what it really get, the nonce field is not present, but how can I modify the wp_login_form call, can I use the $args variable?:

<form name="loginform" id="loginform" action="https://www.rotarymodena.it/wp-login.php" method="post">
			
			<p class="login-username">
				<label for="user_login">Nome utente</label>
				<input type="text" name="log" id="user_login" class="input" value="" size="20" />
			</p>
			<p class="login-password">
				<label for="user_pass">Password</label>
				<input type="password" name="pwd" id="user_pass" class="input" value="" size="20" />
			</p>
			
			<p class="login-remember"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Ricordami</label></p>
			<p class="login-submit">
				<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary" value="Login" />
				<input type="hidden" name="redirect_to" value="https://www.rotarymodena.it" />
			</p>
			
		</form>

Thank you

I believe I will need to make the plugin compatible with this. The parameters passed with $args will not be able to trigger the nonce field.

Please disable the Local Login feature for now. I will investigate a solution and roll out a new version of WP Security Safe in a day or so. I will comment on this thread once the version is available.

-Steven

I have found a solution to this issue. I will release a new version of WP Security Safe 10 hours from now. I need to test this solution thoroughly before I release it.

-Steven

@alfonsoborghi,

I have released version 2.2.3 and it includes a bug fix that should solve your login issue. Please update the plugin and clear your cache (if you are using W3TC or Super Cache..etc). Please let me know if this solves your issue.

Also, please review the changelog notes for version 2.2.3.

Thank you,

-Steven

Hi Steven,
I’ve updated the plugin and now it’s working perfectly!

Thank you very much!

Alfonso

@alfonsoborghi,

I’m glad to hear that this fixed your issue. Please write a review of WP Security Safe as this helps support further development of this plugin.

Thank you,

-Steven