WP Login Broke with RS-SSL Update

Hi @mossifer I just set this up on a sandbox on instawp, activated Really Simple SSL with default settings, and enabled all hardening features. Then I tried logging in. This worked without issues.

Currently 800 000 websites have been updated to the latest version, I have had no other reports of a similar issue.

This suggests there is a very specific configuration on your site or server that is causing this.

Do you have Really Simple SSL pro on your site? It includes a “Change login url” feature, if enabled, this would be intended behaviour. Other than this, there is no code hooking in on the login page currently.

Same thing happened here I’m afraid; and, I use minimal plugins. I’ve had techs looking at the general logins refresh issues caused, for hours

• This reply was modified 1 year, 5 months ago by Robert Thorpe.

The issue here is the login page refreshing all the time. Especially on certain browsers. Jennifer, is that the same with you?

@pedalnorth your comments gave me an idea. The redirect has been hardened, using the wp_safe_redirect. I have made a small change, can you try the github version?

https://github.com/really-simple-plugins/really-simple-ssl

If the wp_safe_redirect is causing it, disabling the wp redirect should resolve the issue.

@pedalnorth @mossifer Let me know if that helps! It’s strange, as I can’t reproduce it anywhere, so I can’t check myself if this resolves it.

Hi Roger, and thanks. I’m our non-tech editor, so can you elaborate, as I’m just good with creating words ??

Hi @pedalnorth,

The redirect to SSL was until the last update handled by the wp_redirect function (which is a core wp function) which now has been replaced by wp_safe_redirect (also a core function). This function only allows the redirect if the url to redirect to is listed in the allow list. If not, it redirects to the login page.

To prevent issues with this, the plugin adds both www and non www to the allow list, to ensure there’s no issue. But to prevent users from ending up on the login page, we’ve also changed the fallback url to the site_url.

This has been tested extensively, so not sure what the problem is. But what you’re describing suggests there’s some conflict here. So what I’ve done is to remove the code that adds the fallback URL.

If that helps, I can release this fix.

It may be that you’re using a plugin, or specific setup which conflicts with this change in fallback URL, and that this is why we haven’t encountered this in any of our tests.

It would be great if you can check if this fixes the issue.

• This reply was modified 1 year, 5 months ago by Rogier Lankhorst.
• This reply was modified 1 year, 5 months ago by Rogier Lankhorst.

Hi Roger

Happy to help. Can you message me off-screen, as it will be easier for a non-techie ??

@pedalnorth More specific about how to check this: on the github page, there’s a green “code” button. There you can download a zip file.

Please deactivate Really Simple SSL first (while keeping https). Then install this zip file.

Hi @pedalnorth I can’t message you, but you can mail me at rogier(at)really-simple-plugins.com, then I can talk you through it.

Thanks for helping check this!

@pedalnorth @mossifer The issue seems to occur if a user tries to login from a https://www.domain.com/wp-admin url, on a site that does not have www in the general settings site_url.

I have reverted the changes to the redirect, which can be found here:
https://github.com/really-simple-plugins/really-simple-ssl

I will release it tomorrow morning. Thanks for helping me find the cause!

I have just released 7.0.5, which uses the previous method of redirection. This should resolve the issue. I’ll mark this thread as resolved, if you run into any issues, let me know.

Thank you for reporting the input, and for helping me track down the cause. This is what makes open source work.

I want to publicly add, how utterly fantastic that Rogier and Really Simple SLL have been in this issue. It’s easy for us all to forget, that WP is created and kept alive by people like Rogier, who believe in open source. However, that means that on occasions, we need to actively support these amazing people.

Rogier has gone out of his way to help on this issue, resolved it, and will I know be working hard in the future, to ensure that Really Simple remains at the forefront of WP functionality.

In a world where choas often reigns – especially in the online world – without this plugin and people like Rogier, it would all fall apart. Our site has used RSSSL for some time, and will continue to do so for many years, as we share the ethos of open source information for everyone.

Thanks Rogier, and well done.

Robert ??

I second Robert Thorpe’s accolades. Thank you for your quick attention to this bug!