Recent Update has me Locked out of 40 different sites

  • I chose All In One Security because of the reviews and have since installed on most of my sites without hesitation despite the slow admin setup. Import only works on previously setup site. The most recent update (Aug/Sep 2022) has made the login lockout a permanent lockout. I can’t login and can’t change the settings. The only way I have been able to access the sites was to disable the plugin by changing the folder name. Otherwise no admin access. Not sure when this will be resolved but I have paying customers and have a huge mess to clean up. Thanks AIO WP security for testing your code prior to release.

    Update: I received quick feedback from the company and apparently it’s a feature that wasn’t working on non-apache servers which is now working on the recent release. This will probably resolve my issue however I had to react quickly to customer support requests and have moved some sites to a new security plugin. As a result I am seeing better site performance on those sites as a benefit so unlikely that I will switch back at this point.

    • This topic was modified 2 years, 5 months ago by buildmeo.
    • This topic was modified 2 years, 5 months ago by buildmeo. Reason: Update from supplier
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor Prashant Baldha

    (@pmbaldha)

    @buildmeo

    We apologise for the inconvenience you faced.

    I have not seen you have an open support thread in the WordPress support thread.

    It looks like you have enabled the cookie-based brute force protection Admin Dashboard > WP Security > Brute Force > Cookie Based Brute Force Protection as indicated in the screenshot https://nimb.ws/Wmih07 in the past.

    This feature wasn’t working for non-apache servers before the AIOS 5.0.0 release. From the AIOS 5.0.0 release, It is working for all server types. I think you are facing the issue on sites that are hosted on non-apache servers like nginx, litespeed, or IIS.

    Resolution:

    If you remember the secret word, please browse the URL example.com?=secretword=1 and you will redirect to the admin login screen.

    If you don’t remember the secret word, then open the database from PHPMyAdmin, select the options table and search for the aio_wp_security_configs option name, copy the option_value field, paste it on https://www.unserialize.com/ and unserialize it. You should find the aiowps_brute_force_secret_word string and find the value of it, and do as described above.

    Let me know whether you are able to access your admin dashboard or not.

    We will give the constant to disable the cookie-based brute force protection in the future release. You have to just define the constant value in the wp-config.php file and you can browse the admin login screen without cookie-based protection.

    We will surely test throughout before releasing the plugin. We are very thankful for your suggestion. ????

    Plugin Contributor Prashant Baldha

    (@pmbaldha)

    @buildmeo Quick solution to overcome the issue: In the AIOS 5.0.4 release, we have given a feature that you can disable the brute force login prevention by adding the below code line in the wp-config.php file:

    define( 'AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true );

    And then try to browse the login page.

    Let me know what will happen on your end.

    Thread Starter buildmeo

    (@buildmeo)

    Thank you but adding that line to the wp-config.php does not resolve the issue. Neither does adding the secret word to the url. Still getting pushed to localhost 127.0.0.1.

    Plugin Contributor Prashant Baldha

    (@pmbaldha)

    It looks like you have installed WordPress core files in its own directory wp as described on https://www.ads-software.com/support/article/giving-wordpress-its-own-directory/#method-ii-with-url-change.

    If you renamed the login page, the login URL is https://xxx.eu/wp/wp-login.php. You have renamed your login page, so your login URL is https://xxx.eu/wp/abcd.

    We have received the support ticket https://www.ads-software.com/support/topic/rename-login-breaks-logout-funtion-host-set-to-wp_home/, so we have fixed it.

    Technical explanation:
    Before the AIOS 5.0.0 version, the renamed login page URL was prefixed with home_url(). but It was an issue. Even the wp_login_url() function returns a URL that begins with site_url().Reference: https://developer.www.ads-software.com/reference/functions/wp_login_url/

    We hope you understand it.

    Thank you for reaching out to us.

    Plugin Contributor Prashant Baldha

    (@pmbaldha)

    We have resolved the issue in the AIOS 5.07 version that is released today.
    Thank you!

    I am currently locked out of my admin dashboard. I didn’t set a secret word, only enabled cookie based brute force attack and renabmed the login page.
    Now I can’t even disable the plugin via ftp as it is hidden. Tried forcing to show hidden files but to no avail. I can confirm the issue is still present. What should I do?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Recent Update has me Locked out of 40 different sites’ is closed to new replies.