PMPro login page causes “reset password key is invalid” error

Hi @ciarando

Thank you for bringing this to our attention, I do apologize for the issue and inconvenience caused by this.

I’ve passed this onto our development team to investigate and troubleshoot further.

We will revert back as soon as we possibly can.

I have run some tests and wasn’t able to recreate this issue, I was redirected to the front-end reset password page via the /login/ link.

Do you have any other plugins that may alter login functionality?

Hi Andrew, many thanks for your response!

We did have Profile Builder alongside PMPro until the PMPro login page was available. The Profile Builder plugin has since been deactivated and deleted and the cache has been purged multiple times since then.

There are no other login related plugins on the site.

I’ve just retested this and have the same result on the new user’s [SiteName] Login Details email.

Thanks for the feedback @ciarando. Would you mind sending through a list of active plugins on your site so I may look into this further?

I haven’t been able to recreate this issue yet.

Thanks Andrew. Here is a screenshot. The link will expire in 1 hour.

https://www.dropbox.com/s/7417005eoqvbnzn/active-plugin-list.png?dl=0

Hi Andrew, any further thoughts on this issue? TIA!

I don’t notice anything out of the ordinary or any concerning plugins that may need further testing.

User’s should be clicking the first link to go to the wp-login.php page, as the second link is the default login URL for WordPress which is sent by default. This shows /login/ because you have setup the login page URL.

The wp-login.php URL doesn’t get redirected by Paid Memberships Pro whatsoever and should still be accessible by anyone that navigates to that link.

Hi, everyone. Sorry for the delay in getting this fixed.

We have a patch for this and will be including the fix in the 2.3.4 release of PMPro, which should go out later tonight or sometime tomorrow.

If you are curious, here the is the change in our code to support this:
https://github.com/strangerstudios/paid-memberships-pro/commit/db28aa9cd61590f6a8f54ef20822285f950fb2e4

I am doing a bit of further testing to handle different error cases when changing passwords and testing new user emails and password resets on multisite networks. There may be further changes to support that.

Thanks again for your help in finding this issue and getting it fixed.

If you run into issues after updating to 2.3.4, let us know.

Brilliant! Thanks so much Jason. I’ll keep an eye out for the update.

I’m on PMP version 2.4.3 and I have a very similar problem. When PMP is active, the reset password link in the email is of the form domain.com/login/?action=rp&key=XXX&login=USERNAME. Clicking this link takes me to the login page at domain.com/login asking for username and password to login as normal. Nothing related to setting a new password is available or possible.

If I deactivate PMP, the reset link from the email is of the form domain.com/wp-login.php?action=rp&key=XXX&login=USERNAME and functions as normal with a native wordpress password reset page.

Any idea on how to remedy this?

• This reply was modified 4 years, 3 months ago by burtmacklin.

I am using PM Pro version 2.4.4 and I am still getting the same issue, whenever a customer wants to reset the password, he receives an email containing a reset password link. When he clicks on the link a page opens asking for a new password but when the new password is entered there comes an error saying “Your reset password key is invalid.”
I tried deactivating the plugin and then resetting the password, it works fine after deactivating the PM Pro plugin.
The link generated looks like this: https://mysite.com/account/?action=rp&key=XXXXX&login=username

I have the same issue and have discovered that the move login plugin (changes the location of wp-login.php) is the culprit. I have found through a lot of logging and testing that moving the login is essential for mitigating the effects of brute force attacks on my server so hopefully PMP will fix this incompatibility.

• This reply was modified 4 years, 1 month ago by ditchmonkey.

Update to my previous message – while discussing this with PMP we have determined that this problem is only related to plugins that move the login location via .htaccess. Some plugins move the logins via other methods and do work with PMP. However, it should be noted that moving the login using .htaccess is a superior method as it mitigates potential server load problems that result from brute force attacks on the login form. Solution with PMP still pending.

Hi, I’m having an issue using PMP pro where if a user enters the wrong PW they are taken to the Word Press login page rather than getting an error message. If they enter the right PW, they are taken into the site. How do I stop them from being taken to the WP login page in case of a PW error?

Also, how does PMP pro utilize WP Log in- I believe we may be having session consistency issues as well.

Thanks!

I am having the same problem. When I deactivate PM Pro, the error does not occur and the proper password reset screen appears. Please tell me how I can fix this ASAP.

Paid Memberships Pro Version 2.5.2.

https://mnsongwriters.org/login/

Edit: I just disabled the plugin “Better Notifications for WP” (Author: Made with Fuel) and now the Reset Password screen appears! Hooray.

• This reply was modified 3 years, 11 months ago by rschletty. Reason: Solution discovered