GraceyS

Hi Paul – thanks for the response. I think maybe “locked out” isn’t quite the right term, but I don’t know what else to call it.

My being locked out doesn’t affect my being able to login to wordpress account and dashboard.

It only involves me not being able to see my site, which is what the weird part is.

I am NOT locked out of being able to login. I can still login to my site’s backend.

I am just not being presented with a visible webpage. It’s just like if you were to visit my site at the url, you get my web page. When this problem occurs, I am not given my web page, but the screenshot I shared with you.

If it were locking me out due to an IP address issue, then wouldn’t I be unable totally to login to my account?

This is what doesn’t make sense.

I’ve taken several screenshots from the plugin settings and uploaded them to this folder. There is the audit trail – the long one is the login attempts, the other short one shows several blacklisted IPs where the connection was killed (I only uploaded part of that list as the balance are just search engines). Along with a couple of others in case you needed to see them.

There is one IP address on the audit trail which seems to make repeated attempts to login – what I don’t understand is why there are so many of them, all at the same time, when I have the attempts limited to a short time frame and a very short number before they are blacklisted.

My own IP address appears on none of the lists, except the whitelist, which probably isn’t necessary since the plugin has a notice at the top of the page that my IP is whitelisted automatically, and it displays the correct IP address.

I’ve also disabled the section on the firewall plugin that monitors plugin changes to see if that will stop it.

It’s entirely possible that I could have some setting wrong, but many of the settings are sort of set at the default level. There is one setting that I just get an error for – “IP Lists Management” (the manage whitelist or manage blacklist one with the two buttons at the bottom of the page). If I click the manage button for either, I just get an error notice with a blank page.

Do you know if I am the only on whose experienced this? If so, it seems as though it’s sort of exclusive to me somehow – my browser settings, my plugin settings or … perhaps the fact that my wp version isn’t updated (there’s a reason I can’t update it).

The plugin has been something of a lifesaver, which is why I don’t want to delete it because of this.

I installed a different security plugin on my other site, but I don’t find it as good as this. I want to use it on both sites, but not until I figure out what I’m doing wrong.

Sorry about the screenshot. I make that blog private because I only use it for uploading stuff. I did make it public in case you need to see it.

[Are you saying you’re being kicked back to the WordPress login screen and the error message is pertaining to your admin access key? Can you quote the exact error message you’re seeing please? A screenshot would be great. (Security Admin Access should never kick you out of WP)]

Yes, that’s exactly what was happening. I don’t recall and can’t get the error message, but it was basically something like “you don’t have a valid access key for simple firewall – enter key”. Which I had not turned on, though there was a key in the box that you would enter a key in. I’m not exactly sure where it was getting the key from. It was from one of the 2 installations I have. (had the same error on the other install, and just had to delete the firewall. Using another currently which I really hate.)

In the intervening time this morning after having read the issue in the other thread, I got to thinking about it, and about wp in general.

I’ve had several accounts over the years – still have several sites on wp.com. The login for any wordpress site I try to access automatically comes up with the login for the free hosted sites. I clear it, and enter my one for either of these 2 installs, and it won’t take it. I have to login from my back-end to make my new passwords for my new installs work.

Sorry, I know that’s a bit out of the firewall issue but it might be related. The “sticky” business, I guess.

Several times I’ve had to use the myPHPAdmin folder on CPanel to actually be able to login to either of these new wp installations. Part of this is due to cloudflare, which I now disable before logging in.

Cloudflare was disabled when the issue happened with the plugin kicking me out.

But I wondered if some of those old passwords were still sitting in Chrome, even though I clean out my cookies using CCleaner fairly regularly.

I went through Chrome and deleted a bunch of old passwords, only retaining the current ones for anything wp.

Then I restarted my browser and logged into my site file manager and deleted the forceOff file from the firewall plugin.

I’ve been able to login without being kicked off twice.

I think it might be an issue with Chrome’s ability to store old cookies and logins almost forever.

I haven’t taken the same steps with the other site using the different security plugin, but either later tonight or tomorrow (on my way to cataract surgery this morning) I’ll reinstall simple firewall and see if it kicks me out or not. If it does, I’ll grab a screenshot and let you know.

Is there anything else you need if it kicks me off? Something I can access through file manager?

I also think the issue I am encountering is quite similar to the one described in this thread:

https://www.ads-software.com/support/topic/login-chrome-and-admin-access-key-broken-in-4110?replies=5

And I also use Chrome.

I really need some help with this please. This has been a great plugin up until a recent automatic update.

Yes, I have already read through the pages related to being locked out. NO, they do not answer this nor do any of the fixes work.

https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959-i-m-locked-out-of-my-own-site-

and

https://icontrolwp.freshdesk.com/support/solutions/articles/3000017219-help-i-can-t-remember-my-admin-access-restriction-key

1. I NEVER enabled this feature, yet there is a key of some sort sitting in the “key box” on this feature page in the plugin.

2. I’ve followed the instructions to upload the forceOff file. This has allowed me to check the settings page in the plugin. (you can’t do that if you simply rename the plugin’s folder since the settings aren’t available that way).

I took a screenshot of the settings on the page for the WordPress Security Admin in the WP Simple Firewall. This is not set to on.

https://myorilliamommy.blogspot.ca/2015/11/simplefw.html

However, whenever I enable or activate this plugin, it is kicking me right out of my WP admin panel before I can do anything else, and the message it’s giving me is that I don’t have an admin access key.

What else would this relate to if not this page in the plugin?

I really would like to get this sorted out please. This has been one of my favourite plugins, and I’d hate to have to use some other security plugin.

I don’t want to have to turn this off in my cPanel file system every time I want to update my site.

Is there some way to edit the code for simple firewall to remove this feature totally?

Also just to note before someone asks, I did not set up a specific user ID for the firewall since I’m the only user on the entire account. I never entered an admin name or password for that function.

Please … somebody … anybody.

HOW can I fix this?

I have no idea what more I CAN do.

I’ve changed the password. It’s not recognized. I’ve done everything suggested in all the other similar threads.

Nothing works.

Alternatives please?

Thanks again. I did turn it off, but it hasn’t helped.

Although I managed to get in the last time, I never did figure out exactly WHY it happened, or exactly what fixed it.

Without knowing that, I was afraid this would happen again, and it has.

At least it recognizes my username and password this time.

I just want to be able to resolve this so it doesn’t keep happening. Spending several days trying to get back into my account every couple of weeks isn’t exactly what I’d like to spend my time doing.

If there weren’t so many images to re-upload, I’d be dumping WP at this stage, and trying something else.

I’m sure it’s probably something in WP – even disabling the theme didn’t help.

So I thought I’d pop back in and post the results of my recent problems, in case it helps anyone else out.

It took a while for everything to clear out, but I finally got back into the second wordpress site that I couldn’t access previously.

As it turns out, the issue seemed to be a relationship between using Cloudfare and wordpress, and the “Limit Login Attempts” plugin.

Even disabling Cloudflare didn’t resolve the issue.

Nor did disabling the Limit Login Attempts plugin. On the site I was first able to login, I deleted the plugin entirely, on the second site, I left it in the disabled folder, and renamed it to make sure it wouldn’t run.

I did all the other troubleshooting steps provided above by wslade (whom I couldn’t have managed without) but none of it worked. (It worked to some extent – I no longer got the wrong password notice, but got a notice that my browser didn’t accept cookies.)

I went ahead and completely deleted the Limit Login Attempts plugin entirely from the plugins folder in the cPanel file manager. Immediately after doing that, I was able to get back into the second account without having the cookie error.

Since then, I’ve re-enabled all my other plugins including WP Simple Firewall and Cloudflare and my caching plugins, and everything seems fine.

I did not reinstall Limit Login Attempts (note: Clouflare has been quite good above not letting IPs exhibiting that behaviour even reach the site, and blocking IPs in the Firewall works as well).

As useful as I found the plugin, it isn’t being updated or maintained, and since it really isn’t compatible with updated versions of WP it may no longer be safe to use, or may toss up weird errors (also note: this error may not have been caused by the plugin, but by my own lack of knowledge/experience).

Initially, it worked fine for several months, even though it was not tested on this version of WP, it worked.

The incompatibility issue was one that I probably created myself. It listed my own IP address as a whitelist item, with direct login. Once I changed the DNS to cloudflare, the Limit Login Attempts plugin saw me as accessing it through a proxy firewall, even though I had whitelisted cloudflare’s IPs.

Anyhow, at the moment, I’m just happy to be able to update my sites again.

To wslade – a thousand thanks!

Oh … I discovered when I rename the plugin folder, all the plugins are deactivated anyways.

Much easier. ??

Thanks again. I didn’t rename the theme yet (was too frustrated last night to do any more, so decided to sleep it off and attack it this morning), but this morning I was able to login to the one site without getting the cookie message.

It’s strange because when I clicked the link to go to my admin panel for that site, it took me directly there, and so I didn’t need to login at all.

I can only assume the cookie was set at one of the many tries yesterday, even though the login page didn’t pick it up and wouldn’t log me in. I don’t get it, but I’m happy to be in to the one at least. I can’t thank you enough.

I’m still getting the cookie message on the other, but the other site didn’t have the plugins folder disabled until quite a while after the first.

Before I try renaming the theme, I’ll wait a bit and see if it resolves too. However, renaming the theme on this site is somewhat less of an issue because there’s nearly no visitors yet to be affected by it. If I have to do it, it wouldn’t bother me nearly as much.

It almost seems like a caching issue, but not a browser one since I did clear the cache several times yesterday and this morning.

The next question on the one I can login to is try and re-enable the plugins. I feel kind of “out there” without some sort of security plugin.

But I assume if I just rename the folder back to plugins, I may experience the login problem all over again. But I don’t know how to re-enable them one at a time when the folder itself is disabled.

Would I go into the plugins-renamed folder, and then rename each individual plugin folder to something else? I assume that would allow me to name the plugins folder back to “plugins” and then rename the plugins one at a time to see what affect each one causes?

I can only guess that if I don’t find out what caused, the same thing could happen again at any time … I’ve rather had enough of those kinds of frights ??

Two sites, and taking the same steps on both because it affected both of them.

I don’t have anything in the ftp folder at all. all my files for wordpress are under the html, and I can access the files through my cPanel.

I didn’t make any changes to the the functions php files. Why would it suddenly be that file?

I’m sort of concerned about what will happen to the public view of my site if I rename theme … won’t the site be a total mess?

Back again.

The login isn’t giving me an “incorrect password” now, and I have you to thank for that at least.

Still cannot login though.

Keeps telling me I have to have my cookies enabled. But, like lots of others, I have.

I tried multiple browsers too.

Researched that, followed several instructions to delete w3tc folders if I had any (don’t use that plugin but did try it, and there were folders there).

Reset all my browsers to default settings, disabling all plugins and extension, clearing the cache, restarted the browser (even tried restarting the computer just in case), adding an exception to the browsers to always accept cookies from the login pages on both sites. Left all plugins and extensions off. Disabled all my browser security from things like antivirus and MalwareBytes.

Also went back in and renamed the plugins folder in wordpress in my file manager so the wordpress plugins would be deactivated..

Still can’t get in.

… at the moment, I don’t have much hair left and I don’t know what else to do.

There are some instructions about commenting out certain lines of code in php files etc. but I’m not experienced enough to start messing with that sort of thing.

Can I just say … I hate wordpress at the moment? I’m sure it’s my own fault somewhere along the line but nobody should have this much trouble with what should be a simple software. Rueing the day I moved off blogger … no control there, but at least is was simple, intuitive, and hassle free.

I’ve used ftp for years. My previous sites were built off line (the first one with notepad and html, lol) and uploaded via ftp.

I’ve discovered several web articles where people have had the exact same problem that I’m experiencing after changing a password. For those the culprit was what I thought it might be as well (“limit login attempts”).

Techs instructed them just to delete the plugin from the plugins folder using either ftp or the file manager, so I may just start with that since it appears that it doesn’t seem to affect anything else, and I still have other security measures in place (WLP Simple Firewall and Cloudflare).

However, I want to make sure my password of June 7th is the right one, so I’m going to make that change in myphpadmin as you suggested, first. Then delete the limit login attempts plugin and try to login.

While I liked that plugin, I’m not sure I’ll install it again since it hasn’t been updated for several years. In the support forum a few complaints are showing there also about people getting locked out suddenly after changing their password.

You’ve been a great help, and very patient. I can’t thank you enough. I’ll post back afterwards and let you know if I managed to crawl back into my sites ??

Thanks so much for all this.

hahaha, actually, I hate it ?? I do troubleshooting in the adsense forum, so some troubleshooting steps are probably just instinct I guess.

So I keyed the password for one account into the decrypter – “no go” there, so it’s as you thought.

Then I used the encrypt option on the page linked here:

https://www.miraclesalad.com/webtools/md5.php

It doesn’t even come close to matching what’s showing in myphpadmin.
Next, I tried the password for the other account, just in cased I’d managed (long shot) somehow to switch them.

It doesn’t match the hash in the account either.

Then, I went back to the first site’s login data on my cards and keyed in the password I’d used before changing it on June 7th.

It didn’t match the hash either. In fact, I checked all the previous passwords, and there is no match with the MD5 hash.

Then, I tried all of that again in this page, just in case:

https://md5decryption.com/

No match.

So, I checked the SHA-1 hash generator and didn’t get any matches with that either.

I noticed all the hash results look a lot different in terms of syntax than what’s showing in myphp admin. The hash results are basically all numbers and lower case letters. In myphpadmin it’s showing characters as well, like $ and others, including a / … and I didn’t think you could use a / when choosing characters for a password.

I not sure what I’m seeing in the password part of the file is an MD5 hash … but I don’t know how to figure out what it is.

I looked at the page where you can edit the password in myphpadmin, and it shows there’s a drop down where you can choose something other than md5.

I’d like to try changing it to the password I set on June 7th and then setting as md5. I’m just afraid I’ll get locked out for 48 hours if I try to login and it won’t let me in again. (just wordpress sites do that because of my security settings, not my cPanel).

I’m sorry to keep bugging you. The only other person I could ask about the database lost his mum this morning and I wouldn’t even think of asking him to look at it.

Thanks so much.

The page you linked for me also mentions getting an MD5 has for your password.

If I were to type my password of June 7th into that, would it generate the same hash as whats listed in the myphp data base, or would it be completely different?

I’m trying to figure out a way to actually check whether or not the password I created June 7th is the same one as the one that’s in the file, because if it is, the question still is why I can’t login, and that’s probably something unrelated to the password.

If it is, no matter what password I change it to, I still won’t be able to login.

Sorry besides being old and dorky, I can be a little anal sometimes. I have a need to fix broken things ?? (also a bit of a control freak).