Ian MP

Hi Andrew,

I’m not sure what AIO will say (I’m a user) but I have it successfully working with WP 6.6.2 / PHP 8.0.30. No issues so far. Perhaps a plugin clash somewhere?

Regards

Hello again,

Apologies for the delay in replying, but it took some time to pin this down. Deactivating all plugins and activating them in turn cleared the problem. However, once all were active again the problem re-occurred, as did some other odd behaviors.

Ultimately (although not conclusively) I have tracked the problem down to two plugins: ‘WP Hide & Security Enhancer PRO’ and ‘WP Fastest Cache’.

WP Hide has always been difficult, given the amount or re-writing it does at the front-end. It does also have a functionality similar to your own but I leave it turned off as it still allowed access to ‘login’ as a url, redirecting to the hidden alternative (something I DID NOT want!). For the moment it is still deactivated, pending further investigation.

As for the second one, WP Fastest Cache, I’ve used for some time with no problems (to a point where I have paid for the premium), but of late it has been breaking pages, especially when JS or CSS pages are minified or encoded. I changed to WP Super Cache and now, not only have all problems gone away, but I’ve actually got a much faster site, earning an impressive 93% performance on GTmetrix.

So, my faith has been restored in ‘WPS Hide Login’ and my apologies for the panic. Once again, ‘WPS Hide Login’ is protecting my login / admin pages!

Regards,

Excellent, many thanks!

I reported this issue 4 months ago and sadly it has not been replied to. See the following thread:

https://www.ads-software.com/support/topic/error-report-error-on-login-with-email-as-username/

No, the developer has not responded. From what I can see, there has been no response to ANYBODY for at least 4 months. However, he does appear to be still active as I received a response from him within two days when I informed him that I could not access his demo site as his SSL certificate had expired.

I have now decided to drop ‘Login with AJAX’ in favour of the similarly named free ‘AJAX Login’ (also available on www.ads-software.com). It does not have 2FA built-in but it can be paired with ‘Wordfence login Security’ (a subset of the full ‘Wordfence Security Firewall’), which offers a very flexible 2FA, also free on www.ads-software.com. I have been testing both, these past few weeks, and so far everything works fine. I don’t yet know what the ‘AJAX Login’ support is like but I will post an update on that plugin page in due course.

I’m really sorry ‘Pixelite’ but a major bug on an otherwise excellent login plugin is just too much of a risk to take on a membership site.

As an alternative, I have created a modal login using Kadence blocks and Profile Builder (Cozmoslabs). Not ideal, but it works and at least it is supported, both by Kadence and by Cozmoslabs!

Sadly, no, the developer seems to have abandoned this plugin. I have also raised a well documented bug, which has equally been ignored. An excellent plugin, but without active support, using it in a live environment is extremely dangerous. What a pity.

OK, firstly let me say out straight – I think this is a BRILLIANT plugin! I have long searched for a clean login option where I could do away with a dedicated login page (and therefore eliminate one more target for bots) and this plugin fits the bill perfectly. I have already incorporated it into my site (in beta) and will be using it live if I can resolve this issue.

Alright: clearly, as most people have found out, you CAN login with an email, instead of a username without any problems. SO, a bit more explanation is needed. There is ONE occasion when you cannot use an email address: if 2FA is turned on and only ONE 2FA is activated then, if a user who has NOT setup their 2FA and tries to login with an email instead of a username, the above error appears.

Let me explain. Here is the result of a detailed test.

Believe it or not, there are actually 96 different scenarios to logging in, calculated as follows: 6 templates and 4 2FA options (none, plus 3 options), which equates to: (6×1) [no 2FA] +(6×3) [choice: 1, 2, or 3] +(6×3) [choice: two set = 1+2, 1+3, or 2+3] +(6×1) [choice: all three] = 48×2 (username or email) = 96.

In 95 of the above scenarios, you can log in with either a username or email address: in ONE of these occasions, (where a User tries to login with their email address when 2FA is turned ON with just ONE option but the User has not setup their 2FA) the error will occur. If this happens then the plugin skips 2FA and redirection, and the code jumps to line 226 in login-with-ajax.php, which says as follows:

” ‘error’ => ‘Invalid nonce or user supplied.’, // not translated as this is a bug and edge (if at all) ” [sic]

I have tested each of the above 96 scenarios on two sets of browsers, Mozilla-based (including Firefox) and Chrome-based (including Microsoft Edge). I have not tested on an Apple Mac as I don’t have one. The above error is repeatable in that single circumstance described.

I think that, based on the comment the developer has entered in line 226, this is a known bug but that a user is not expected to get here. Hopefully now however, as the circumstances in which this CAN happen has been identified, the error can be addressed so that someone who has the email address and has guessed the password, cannot bypass the 2FA. Sorry, but I’m not a programmer so I cannot say WHY this happens, only show WHEN it happens. I hope this helps.

Just a suggestion, but have you checked the user role setting?

I had a similar problem, with a student being granted access to a lesson, while the “you must be logged in … ” message being displayed also. I transpired that the student had TWO roles set (this can happen if they’re set up manually). I my case they were set as “student” (therefore had access rights) as well as the original standard “User” role (therefore no access rights). Removing the second role of “user” solved the problem.

Hello David, thanks for getting back.

I’m running on a development server, but not a localhost as it has an external URL (for checking https etc). However, I have since installed it on my existing live site ( a simple 4-page static site) and it works fine, although that’s running MySQL and not MariaDB.

To be sure, I tested it on a localhost (with & without your suggested change above but running MariaDB in both instances) and it also worked fine.

So, back to my development site: it seems that the only difference is, while the original sites (live & localhost) were using the GeneratePress theme and running Elementor, my new site is using the Kadence theme with Kadence Blocks. My conclusion therefore is that it is either the Kadence theme or Kadence plugins. However, as both are integral to my site, I can’t disable either without breaking it but it does seem that Kadence is the problem.

Hope this helps.

OK, brilliant. Now I know how to correct it. I have set up my IP in the personal whitelist so hopefully, after it filters through, the problem will have gone away. Thanks again.

Thanks again. And forgive me if I seem to be asking daft questions, but I’m trying to understand what’s happening here. My website’s fine but it seems my own IP is not (the tab only appears when I log on to my public website, which is also our browser homepage here in the office). So, how do I ensure I DON’T get false positives for my IP? DO I need to raise this with my business broadband service provider?

OK, thanks. SO just so we’re clear though, the IP address that is displayed on your page is the IP of the my LOCATION (my Business IP through which I’m logging on), NOT of my website. My website would have the IP of my service provider.

There is no reason why my business IP would be blocked, as it’s new and does not show up in your register, so why the message?

Thanks for that very quick response. I know that my IP is not blocked (I checked on your site through my account).

What I’m concerned about is the appearance of that page to visitors, especially with the word “Blacklisted” as a tab heading. If they see that, they are likely to close the tab (as would if I saw “blacklisted”) before even attempting to read the detail of the page and resolve never to return.

SO my questions still stand: why does the Tab have the title “Blacklisted” and does my site visitors see that page?

I will go through the reinstall as you suggest above, but ONLY if you are saying that this will mean that visitors will then NOT see BLACKLISTED as a tab title.

To start, just so we’re clear, I am a user of Namaste just like you, contributing to this forum. I am not from Namaste itself so I cannot action requests you may make. However, I think it’s important to understand what problems belong to Namaste and which ones are WordPress.
Firstly, regarding breadcrumbs, it is not true that you have to disable them for the rest of your site. There are three main parts to my website and each has its own breadcrumb trails. How you achieve this is through Templates in your theme, which are assigned to post types. So, Namaste uses custom post types for courses, modules and lessons, for which their LMS theme (if you are using it) will have custom templates to match. If you are using a third-party theme and want to change the templates (of have custom templates), you will have to customise the theme yourself if you’re a programmer. If, like me, you’re not a programmer, then you will have to use a Page Builder that supports template building. I use Elementor Pro for this (the free version does not provide this function) but there are others.
Secondly, if I understand correctly what you are saying, when you say you can see “all lessons”, I suspect what you are accessing is the courses / modules / lessons archive pages. Everything you create or add in WordPress is given a unique URL and is grouped within archive pages. This is how WordPress works and there is nothing Namaste or any other vendor can do to change this. What you have to do therefore is lock down or otherwise control access to these archives and this leads me to my last point: security.
To maintain control over your LMS and keep users out of the backend of WordPress, you will need to implement various levels of security. At a basic level, the simplest way is through Namaste itself, where you will specify that only logged-in users (and better still specific users within that) have access to courses. That way, anyone trying to access your courses through the URL outside of your LMS will be told they have to be logged in. This only goes some way towards protecting your site. Even premier LMS plugins like LearnDash will let your users get to the backend of WordPress unless you take action to stop it. The best way to stop this is to use a membership plugin or similar which hides the backend and uses front-end forms/pages for user login / registration / accounts. Other methods include ‘security’ plugins to lock-down your file structure and stop people accessing this directly, and ‘redirection’ plugins that intercept URL requests and redirect them elsewhere.
In addition, if you are uploading files to your site for users to download, they are most likely accessible outside of your website through their direct URL or by direct access to the WordPress media library so consider using a ‘protect uploads’ plugin which will obfuscate your URL and hide your files elsewhere. Namaste itself has a security for uploaded files (assignments etc) but since I don’t use this, I can’t comment. Perhaps Namaste will.
Lastly, regarding Google, the whole point of having a website is for people to find it so you need Google. However, you can use things like SEO plugins which not only boost your Google index but also let you hide certain pages from being indexed. In any event, even if your pages (or more precisely your URL’s) are found, if they are secured, they cannot be accessed.
Hoe this helps. Hood luck with your LMS.