WP ‘Reset password’ showing ‘invalid key’

Hi @killjack,

We are sorry to hear about this.

Would you mind sending us a screenshot of the message they are receiving to better understand the situation you are facing? Also, please make sure that you are using the new lost password path, and not the default WP one, which you can find under Change Paths > Login Security > Custom Register Path.

Hey, the default WP new user account email sends a link to user set the password. My link is now going to ‘ghost-login’:

https://prnt.sc/fAvz4aziyGTf

And whenever you click on this link, WP says that the URL is invalid, so asks to generate another link, which will also be invalid.

https://prnt.sc/AlrFnijmpFY8

What you think?

I had seen the key error message, but it looks like the error it says is that the ‘URL is invalid’, which makes sense since ‘ghost-‘login’ is blocked from being accessed by visitors.

I think if I disable some login protection option it should work. But I didn’t want to disable all my login protection.

How strange, it looks like it’s using the admin path and not the forgot password path.

If you have another security plugin for changing the login path, then leave the default paths for login & lost pass in HMWP

Also, you can test on a stage website without other plugins installed and see if the issue is occurring there as well.

But if you have a custom lostpassword, register paths, then those paths should be sent by email and it should work properly, but I believe that something is interfering.

Hi, you’ve misunderstood, this is not a ‘lost password’ email, it is a ‘new account creation’ email, sent as soon as a user creates a new account on the site. It’s the email for the user to set his password for the first time and default WP behavior for this is to send the wp-login default path, and this path is being changed only by your plugin. I don’t use any other security or path-altering plugins.

Do I need to disable my login protection for this to work?

I have a custom public login page on this site for users to login. I’m wondering if it would make sense to change the HMWP login path to my custom login slug or maybe it will show some error or some login security issue.

• This reply was modified 1 year, 2 months ago by killjack.

Thank you for the details, it’s much clear now what is happening.

Would you mind giving it a go but without that public login? Or even better, disable all other plugins besides Hide My WP Ghost and see if the issue is occurring anymore. This will be really helpful to narrow down the cause.

Ok, but I’ll have to make a homolog copy to do these tests, I don’t have it yet.

I just don’t understand how another plugin can be causing this, since it’s happening exactly what it should after the settings I defined in the HMWP, or isn’t it? Is ghost-login supposed to work publicly when WP sends this link to the user?

If I have set HMWP to leave my WP login private and change the default WP login path, so it is obvious that when WP sends the default login link to the user (which your plugin made private) that page will not be accessible, just as is happening.

Can you please explain what should be happening that isn’t? And what can happen if I disable anothers plugin?

• This reply was modified 1 year, 2 months ago by killjack.

We just now tested both HMWP and the registry part. When the call is made on new login with register params, then the account must be created and go to the create a password page.

Please try this “I have a custom public login page on this site for users to login. I’m wondering if it would make sense to change the HMWP login path to my custom login slug or maybe it will show some error or some login security issue.”

It’s probably a compatibility issue when the register call is made.

Also, activate Hide My WP > Advanced > Compatibility > Clean Login.

And not least, did you put the config file on the server and restart Nginx? If so, does Front End Test from Change Paths > Level of Security work?