Forgot Password request sends wrong key?

Resolved GraceyS
(@graceys)

11 years ago

Last week I changed the password on two of my wordpress installs. I wrote it down for each one on an index card. I do this pretty much every couple of weeks, crossing out the old one, writing the date down, writing the password down, and then typing it into the password change form.

Today, trying to login it gives me a wrong password notice. On both installs.

I’m pretty sure I typed the right passwords each time. Twice.

So, when I get the second notice that it’s wrong I request a new password and enter my email address (different for each install).

I get the password notice in my email (for both installs), click the link to change it, and get a notice that says “Sorry, that key does not appear to be valid.”

ummm, what? How do I get back in to my installs.

I do have several security options set up – WP Simple Firewall, and am using Cloudflare for both sites.

I have my own IP address whitelisted in both places.

I’ve checked the cPanel files for my hosting and both installs. There doesn’t appear to be anything that shouldn’t be there, so I don’t think I’ve been hacked, although over the last 5 days there have been hundreds of tries.

Cloudflare seems to be blocking the worst (AmazonAWS hosting being used by someone has a bot that tries every few minutes on one of my sites, driving me nuts).

I will check with the Firewall support and with Cloudflare, but the settings are pretty much the same as the last time I logged in okay.

My biggest concern is why the key the wordpress install sends me is considered invalid.

Would really appreciate any help to get back in. Seems I’ve managed somehow to lock myself out.

EDIT: Also, I have the limit login attempts installed. It came with the wordpress install, it isn’t something I installed myself.

I did notice the last time I was logged in and checking login attempts that in that plugin it says I am logging in from a different IP address than my own (which I’m not). I can’t remember the exact wording – it was either logging in from behind a firewall (which isn’t the simple firewall plugin because that had been installed and running for well over a week), or from a proxy (I don’t use proxy sites at all), but I’m wondering if that was from cloudflare after changing the DNS.

I’m wondering if it’s possible to just “delete” the limit login attempts without messing up the install, and if so, what effect it might have on anything else in the wordpress install.

Viewing 4 replies - 16 through 19 (of 19 total)

← 1 2

Thread Starter GraceyS
(@graceys)

10 years, 12 months ago

Thanks again. I didn’t rename the theme yet (was too frustrated last night to do any more, so decided to sleep it off and attack it this morning), but this morning I was able to login to the one site without getting the cookie message.

It’s strange because when I clicked the link to go to my admin panel for that site, it took me directly there, and so I didn’t need to login at all.

I can only assume the cookie was set at one of the many tries yesterday, even though the login page didn’t pick it up and wouldn’t log me in. I don’t get it, but I’m happy to be in to the one at least. I can’t thank you enough.

I’m still getting the cookie message on the other, but the other site didn’t have the plugins folder disabled until quite a while after the first.

Before I try renaming the theme, I’ll wait a bit and see if it resolves too. However, renaming the theme on this site is somewhat less of an issue because there’s nearly no visitors yet to be affected by it. If I have to do it, it wouldn’t bother me nearly as much.

It almost seems like a caching issue, but not a browser one since I did clear the cache several times yesterday and this morning.

The next question on the one I can login to is try and re-enable the plugins. I feel kind of “out there” without some sort of security plugin.

But I assume if I just rename the folder back to plugins, I may experience the login problem all over again. But I don’t know how to re-enable them one at a time when the folder itself is disabled.

Would I go into the plugins-renamed folder, and then rename each individual plugin folder to something else? I assume that would allow me to name the plugins folder back to “plugins” and then rename the plugins one at a time to see what affect each one causes?

I can only guess that if I don’t find out what caused, the same thing could happen again at any time … I’ve rather had enough of those kinds of frights 🙂

Thread Starter GraceyS
(@graceys)

10 years, 12 months ago

Oh … I discovered when I rename the plugin folder, all the plugins are deactivated anyways.

Much easier. 🙂

Thread Starter GraceyS
(@graceys)

10 years, 12 months ago

So I thought I’d pop back in and post the results of my recent problems, in case it helps anyone else out.

It took a while for everything to clear out, but I finally got back into the second wordpress site that I couldn’t access previously.

As it turns out, the issue seemed to be a relationship between using Cloudfare and wordpress, and the “Limit Login Attempts” plugin.

Even disabling Cloudflare didn’t resolve the issue.

Nor did disabling the Limit Login Attempts plugin. On the site I was first able to login, I deleted the plugin entirely, on the second site, I left it in the disabled folder, and renamed it to make sure it wouldn’t run.

I did all the other troubleshooting steps provided above by wslade (whom I couldn’t have managed without) but none of it worked. (It worked to some extent – I no longer got the wrong password notice, but got a notice that my browser didn’t accept cookies.)

I went ahead and completely deleted the Limit Login Attempts plugin entirely from the plugins folder in the cPanel file manager. Immediately after doing that, I was able to get back into the second account without having the cookie error.

Since then, I’ve re-enabled all my other plugins including WP Simple Firewall and Cloudflare and my caching plugins, and everything seems fine.

I did not reinstall Limit Login Attempts (note: Clouflare has been quite good above not letting IPs exhibiting that behaviour even reach the site, and blocking IPs in the Firewall works as well).

As useful as I found the plugin, it isn’t being updated or maintained, and since it really isn’t compatible with updated versions of WP it may no longer be safe to use, or may toss up weird errors (also note: this error may not have been caused by the plugin, but by my own lack of knowledge/experience).

Initially, it worked fine for several months, even though it was not tested on this version of WP, it worked.

The incompatibility issue was one that I probably created myself. It listed my own IP address as a whitelist item, with direct login. Once I changed the DNS to cloudflare, the Limit Login Attempts plugin saw me as accessing it through a proxy firewall, even though I had whitelisted cloudflare’s IPs.

Anyhow, at the moment, I’m just happy to be able to update my sites again.

To wslade – a thousand thanks!

gwierzbicki
(@gwierzbicki)

10 years, 9 months ago

I am not “out there”. I am paralyzed. I can’t sign in (I, too, keep getting “invalid keycode”. I can’t reaxh my dasboaed, widgets etc. because No mattter what I try to follow, I can’t get rid of the blogroll.

My website was set up by gogear publishing when I published my book about four years ago. I have not dealt with them recently.

I’m n0t a computer whiz but I’d like to learn. My wevsite “THUSBOUND.com was straightforward until this blogroll appeared. I am oanicking. I can;t put my essays, stories etc on my site and I can’t read the comments for at least a month now. I need help. I’m happy for the previous commentator who is “able to update sites again but I am also as jealouus as heck. Geraldine Wierzbicki-Roach

Viewing 4 replies - 16 through 19 (of 19 total)

← 1 2

The topic ‘Forgot Password request sends wrong key?’ is closed to new replies.

Forgot Password request sends wrong key?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics