Wordfence locked myself out of my WordPress site

Hello wfphil,
everything correct except #2, sentence 2: After renaming the Wordfence directory, Wordfence does NOT send emails saying that I, as s user, have logged in.

Hello Helmut,

Sorry for the delay in replying to you and thank you for the clarification. When Wordfence was deactivated, by renaming the Wordfence plugin directory, you should have been able to login as normal. It is very strange that you are only able to login once all Wordfence files and database tables are removed. I am going to see if any of my colleagues have any insights into what happened for you.

Hello Helmut,

When the Wordfence directoy is disabled as in the example below then your login shouldn’t be restricted at all.

~/wp-content/plugins/wordfence-disabled

When your friend removed the Wordfence database tables and you were able to login this doesn’t make sense to us as the Wordfence tables shouldn’t be affecting the WordPress login admin redirect flow at all.

Can you provide a list of all plugins that you have installed to see if that offers us any clues.

Thank you.

Hello wfphil,
this is the list of my installed and activated plugins:

1&1 WP Assistent | WordPress Setup Wizard | Version 2.1.0 | Von 1&1 Internet SE
Antispam Bee | Version 2.7.0 | Von pluginkollektiv
Autoptimize | Version 2.1.0 | Von Frank Goossens (futtta)
Cache Enabler | Version 1.2.0 | Von KeyCDN
Datenbank bereinigen und optimieren | Version 4.2.1 | Von CAGE Web Design | Rolf van Gelder, Eindhoven, Niederlande
ManageWP – Worker | Version 4.2.16 | Von ManageWP
Scroll to Anchor | Version 0.4.2 | Von Bego Mario Garde
Simple Custom CSS | Version 3.3 | Von John Regan, Danny Van Kooten
SSL Insecure Content Fixer | Version 2.2.3 | Von WebAware
SubHeading | Version 1.8.1 | Von StvWhtly
ThemeZee Toolkit | Version 1.0.5 | Von ThemeZee
Wordfence Security | Version 6.3.5 | Von Wordfence
WP Edit Pro | Version 4.4.2 | Von Josh Lobe
WP Media folder | Version 4.1.1 | Von Joomunited
WP Nav Menu Cache | Version 2.1 | Von oneTarek | Details ansehen
WP Revision List | Version 1.1.5 | Von Pete Nelson (@GunGeekATX)
WP Smush | Version 2.6.2 | Von WPMU DEV
Yoast SEO | Version 4.5 | Von Team Yoast

Thank you for all your efforts!
Helmut

Hello Helmut,

Thanks for the list. I will go through the plugins and see if any of them may be creating a potential conflict.

Hello Helmut,

The only plugin that I could see that could potentially affect the login process would be the “ManageWP – Worker” plugin.

Also which of the plugins did you also disable that had caching capabilities?

Hello wfphil,
it’s the ManageWp-Worker plugin which I use not only to backup my site but also to login securely to my admin dashboard. But I can’t see how this would have a negative effect to the login process combined with Wordfence.

I even contacted ManageWP before I installed Wordfence and they answered: “ManageWP does primarily allow you to manage your websites, and we do have a tool to keep tabs on your website security, it does not prevent possible threats and having plugins such as WordFence is highly recommended. We also recommend that you whitelist all our IP addresses within WordFence settings in order to prevent any interference with our communication to your website.”

As to your question: I disabled these plugins:
Autoptimize / Cache Enabler / Datenbank bereinigen und optimieren.

But I am just asking myself: When installing Wordfence – did I make a mistake, so that I couldn’t login to my own backend again? Is there an option which I should not have choosed, a hook that I should not have set?

At first I had asked me, if I should have whitelisted my own IP adress. But obviously that cannot be so, for most users have often changing IP addresses, and so have I. And I’d like to think that Wordfence normally should not lock out someone who tries to login with the correct password.

So are my thoughts…
Helmut

just fyi; autoptimize does not do any optimization on the backend (wp-admin).

hope you have your access back soon!
frank (ao dev)

Hello Helmut,

You wouldn’t have done anything wrong setting up the plugin. There seems to be a conflict elsewhere. I am sure you are reticent to enable “Login Security Options” again as it took your friend two hours to get you up and running once more.

What you could do is to clone your website and create a staging environment. Once this has been setup you could disable all plugins on the cloned site except for Wordfence and then enable the “Login Security Options“. If this works and allows you to login you can enable the other plugins one by one until hopefully you create the conflict.

@futtta Hello Frank,

Thanks for the feedback. I didn’t suspect your plugin would be the cause but disabling caching plugins is one of our recommendations in situations like Helmut’s to eliminate as many possible causes as we can.

Hello wfphil,
I’m sorry, but I never made up a clone of my website. The plugin ManageWP allows me to clone my website (based on the backups they store every night), mainly for restoring my website in case of having been hacked or to migrate my website to another server. And then there is a third option:

“Create a copy of this site on any server with MySQL database and FTP information.”

Could I now
1. set up a new database and
2. create a new subdomain like test.bibelwelt.de and
3. use the option mentioned above with
4. my existing FTP access code
for cloning my website on my subdomain?

Or is there another – may-be easier – way to clone a website?

I ask that precisely because I don’t want to crash anything… ??

Hello Helmut,

There is a plugin for just this purpose:

WP Staging Plugin

Here is a tutorial that I found that you can use to use the plugin:

How to Avoid Plugins or WordPress Update Breaking Your Site

As a precaution I would make sure that you have a working backup of everything before installing this plugin and embarking on this experiment to find out the cause of your login problem.

Hope this helps.

Hello wfphil,
I installed WP Staging and tried to create a staging environment for my homepage.

But now there is a new problem. The process didn’t succeed, but I got an endless row of (always the same) failure messages which only stopped when I cancelled the whole process:

DB has been cloned successfully
[13-04-2017 15:26:07] Fail: Replacing site url has been failed. DB Error: Table ‘db639225031._qnqpWzxToptions’ doesn’t exist
[13-04-2017 15:26:09] Fail: Replacing site url has been failed. DB Error: Table ‘db639225031._qnqpWzxToptions’ doesn’t exist
[13-04-2017 15:26:11] Fail: Replacing site url has been failed. DB Error: Table ‘db639225031._qnqpWzxToptions’ doesn’t exist
[13-04-2017 15:26:12] Fail: Replacing site url has been failed. DB Error: Table ‘db639225031._qnqpWzxToptions’ doesn’t exist
[13-04-2017 15:26:14] Fail: Replacing site url has been failed. DB Error: Table ‘db639225031._qnqpWzxToptions’ doesn’t exist
[13-04-2017 15:26:17] Fail: Replacing site url has been failed. DB Error: Table ‘db639225031._qnqpWzxToptions’ doesn’t exist
…
and so on… I cancelled the rest.

What I don’t understand: There really is no table “_qnqpWzxToptions” in my database, only “qnqpWzxToptions” without the “_”. (I checked it looking into my MySQL database.) Why does WP Staging try to copy a non-existing table?

Hello Helmut,

It seems that you will have to speak to the WP Staging plugin developers. I see that they are currently active in their support forum. They will be able to help you try to resolve the issues that you are having in setting up your staging site using their plugin.

Hello wfphil,
I talked to the WP Staging plugin developers. They said it’s a bug, and they will try to resolve it.

But now I have the same problem as a month before: I just wanted to login to my admin board with the correct password and didn’t succeed. I didn’t change anything in my homepage or in any plugin, didn’t make any change in Wordfence, but I fot the following mail from Wordfence:

This email was sent from your website “Bibelwelt” by the Wordfence plugin at Wednesday 19th of April 2017 at 10:13:35 PM
The Wordfence administrative URL for this site is: https://bibelwelt.de/wp-admin/admin.php?page=Wordfence
A user with username “hs-14_bw-wp” who has administrator access signed in to your WordPress site.
User IP: 2003:dd:fbc1:1f00:6497:68f3:90d:5924
User hostname: p200300DDFBC11F00649768F3090D5924.dip0.t-ipconnect.de
User location: Giessen, Germany

And I didn’t even enable any “login security options”.

What can I do to login to my admin board again? Can the makers of Wordfence do something about it?

With sad regards
Helmut

Hello Helmut,

Can you email the following please:

1. Root PHP error log. This is in the root directory of your WordPress installation. If you are not sure, it is in the same directory as your wp-config.php file. It is typically named error_log.
2. wp-admin directory PHP error log. It is typically named error_log.
3. Let me know the approximate date and time that the login failed.

Can you also try the following:

When you login try entering this in your browser address bar to see if it loads the WordPress Administration screen https://bibelwelt.de/wp-admin

Disable the ManageWP – Worker plugin as this is the only plugin that I can see that also could have an effect on the login process.

What was puzzling to us before was when you disabled Wordfence by re-naming the Wordfence directory and the problem persisted. If Wordfence was the cause then it should have ceased when Wordfence was disabled. Now with “Login Security Options” disabled I can’t see how Wordfence can be causing this problem at this point.

Please attach the PHP error logs and send to phil [@] wordfence [dot] com. Please put your username, dobby14, in the subject field of the email.

Hopefully we can find some useful information form the error logs.

Thank you.