Hi @timboc,
127.0.0.1 wp-admin being redirected means you have enabled cookie based brute force.
you should try access with secret word so {site_url}?{secret_word}=1 It will save cookie in your browser for 24 hrs the again after 24 hrs it will start redirect to 127.0.0.1 and you can access with {site_url}?{secret_word}=1 only.
If you have enabled and forgot the {secret_word} define AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION true in wp-config.php and try access with wp-login.php ( or renamed login page) it will disable the cookie based brute force
define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);
Once you logged in please go to AIOS > Brute force > Cookie based brute force prevention.
there check secret_word and remove the defined constant.
If this is not the case or still issue let me know.
Thread Starter
timboc
(@timboc)
Hi @hjogiupdraftplus –
As I said, I have NOT enabled cookie based brute force, so none of the above applies. However, it would seem that somehow the plugin is applying it even though it is not enabled.
Further thoughts?
Hi @timboc,
If cookie-based brute force protection is enabled, then only the login page and wp-admin should redirect to 127.0.0.1.
If the site’s frontend, admin, and login page are all redirecting to 127.0.0.1, it means your IP address has been permanently blocked. Are the frontend pages also redirecting to 127.0.0.1?
Do you have a caching plugin enabled? That might be the reason why the frontend pages still appear accessible if not redirected 127.0.0.1.
You should try accessing the site from another internet connection (with a different IP address) to confirm access. Then, in AIOS > Dashboard > Permanent blocklist, remove your IP address and check the reason it was blocked.
Only the cookie-based brute force protection and the permanent blocklist features cause redirection to 127.0.0.1
AIOS > Settings > Advanced settings tab has IP address detection settings. There, you may cross-check the right IP address detection, which matches https://whatismyipaddress.com/ IP address.
Regards
Thread Starter
timboc
(@timboc)
Hi @hjogiupdraftplus –
It was allowing me access to the login page, but once I had entered my credentials it then redirected me to 127.0.0.1. At that time, I was able to sign in on a different browser, but still on the same PC. I normally admin with Firefox, so I deleted all cookies in Firefox and it then allowed me to log in successfully. All was then fine for a few days until it did it again.
This time, I simply logged in via a different browser again, and disabled AIOS. Having done this, I could then log in with Firefox. So I am as sure as I can be that although the cookie based brute force is NOT enabled in AIOS (and never has been), it must be AIOS causing the problem.
I currently use WP-Fastest Cache as my caching plugin.
-
This reply was modified 7 months, 3 weeks ago by
timboc.
Hi @timboc,
Strange, Which version of AIOS do you use latest 5.4.3?
Here the issue of cookie based brute force after login not for login page seems might be login page cached. If this issue reappear.
- can you disable the cache plugin and check issue is for login page also ?
- If you can add the constant AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION in wp-config.php and if it allows to login, let me know. The issue might be cookie not saved in browse or something else have to identify.
define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);
Regards
Thread Starter
timboc
(@timboc)
Hi @hjogiupdraftplus –
Yes, I am using the latest version 5.4.3. I am currently still logged in, so next time I have to log in and get the problem, I will try what you have suggested and let you know the outcome.
Thanks for your help with this.
Kind regards
Tim
Hi
I’m encountering almost same issue, except that I can’t visit login page either. I’ve enabled Cookie based Brute Force detection and it used to work perfectly well for a long time. But after upgrading wordpress to latest version (6.8.3) , It performs completely strange.
I’ve tried enabling AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION then I could login but setting this variable to False, redirects me to 127.0.0.1 immediately.
define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);
I’ve tried to disable Brute Force prevention from inside the plugin settings in wordpress dashboard but it looks like adding above code into wp-config.php make the save button grayed out.
So as result, It looks like I should keep that line in my wp-config.php as long as I find a way to reset everything AIOS have done to my website.
Regards
Hi @fani1ofogh,
The constant shown below indicates that Cookie-Based Brute Force Protection is disabled, so you do not need to disable it from the admin panel. If you wish to re-enable it after logging in, you should remove this constant from the wp-config.php file.
define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);
Once you have logged in after adding the AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION constant to the wp-config.php file, you can test the secret word by visiting the URL {siteurl}?{secretword}=1. This should set the required cookies.
After that, remove the AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION constant and, after logging out, verify that the login works correctly.
After 24 hours, you should again use {siteurl}?{secretword}=1 to access the login page.
Hi, when I try to log-in to my site with “/wp-login.php” I get the message “access denied”. I am not redirected. How can I get my access back? Some settings of AIOS may be wrong but I can not try out which ones because of no access.
Thanks for help!
Hi @gcgc5,
If you try to access the login page and see a 403 “Access Denied” error, it may be because the login allowlist is enabled and the IP address you’re using to access the login page isn’t included in the allowlisted IPs.
define( 'AIOS_DISABLE_LOGIN_WHITELIST', true );
in wp-config.php and try access with that login page.
Regards
