foykwalla
Forum Replies Created
-
Hi,
Thank you everyone for the assistance and troubleshooting guidance throughout this issue.
After extensive testing, the password reset functionality is now working correctly again on the live site.
The issue affected both WooCommerce and native WordPress password reset flows and was returning:
“This key is invalid or has already been used.”During troubleshooting we tested:
- plugins individually
- default themes
- staging clone
- WooCommerce and native WordPress reset flows
- cache/CDN settings
- LiteSpeed Cache
- wp-config comparisons
- account endpoints
- incognito/private browser testing
- multiple devices and browsers
Interestingly, the staging environment always worked correctly while the live site did not.
During the troubleshooting process, the database connection temporarily crashed and both the live and staging environments briefly showed:
“Error establishing a database connection.”After the database/environment recovered and the site came back online, the password reset functionality started working correctly again on the live site.
Password reset links are now functioning properly across:
- desktop
- incognito/private mode
- different browsers
- mobile devices
At this stage the issue appears to have been related to a temporary environment/cache/session/database inconsistency on the live environment rather than a WooCommerce core issue.
Thank you again for all the help and continued support throughout the investigation.
Hi,
Thank you for the continued assistance and detailed troubleshooting guidance.
At this stage, we have completed extensive testing across both the live site and the staging clone, including:
- disabling LiteSpeed Cache completely
- enabling Hostinger CDN Development Mode and flushing cache
- testing in incognito/private browsing with newly generated reset links
- testing both WooCommerce and native WordPress password reset flows
- testing with default WordPress themes
- testing with plugins disabled and re-enabled individually
- testing with the WoodMart theme restored
- checking WooCommerce template overrides
- checking child theme functions.php
- checking custom snippets and MU plugins
- checking wp-config.php salts/keys
- verifying WordPress Address and Site Address values
- re-saving WooCommerce account endpoints and permalinks multiple times
- testing on a full staging clone of the live site
Current situation:
- the staging clone continues to work correctly, including password reset functionality
- the live environment alone still returns:
“This key is invalid or has already been used.”
An additional important observation is that on the live site the valid reset URL parameters:
?key=XXXXX&id=2328&login=username
eventually become:
?show-reset-form=true&action
before validation fails, while this behavior does not occur on staging.
At this point, we have exhausted nearly all standard WooCommerce, WordPress, theme, plugin, cache, and environment troubleshooting steps we could identify.
Please let us know if there are any deeper WordPress authentication/reset validation checks or environment-specific areas you would recommend investigating further from here.
Thank you again for continuing to investigate this issue.
Hi,
I completed additional testing on the staging site by reactivating plugins one-by-one while testing the WooCommerce password reset flow after each activation.
Results so far:
- the password reset flow continued working correctly throughout the plugin reactivation tests
- I also reverted back to the WoodMart theme on the staging site and the reset functionality still worked correctly
- the reset form opens successfully at:
https://forestaxes.com/staging/my-account/lost-password/?show-reset-form=true&action
One notable observation:
- when WP Mail SMTP was activated on the staging site, password reset emails were no longer being received
- however, this did not reproduce the original “This key is invalid or has already been used” issue
I also tested directly on the live site by temporarily deactivating WP Mail SMTP and testing the lost password flow again. The reset email was generated, but the live site still returned:
“This key is invalid or has already been used. Please reset your password if needed.”
So at this stage:
- the staging site continues to work correctly even after restoring plugins/theme
- the original invalid reset key issue still only exists on the live installation
Please let me know what you would recommend as the next troubleshooting step from here.
Thank you again for the continued assistance.
Hi,
I completed the full conflict test on a staging clone of the live site as requested.
Steps performed on the staging site:
- created a full staging clone of the live installation
- deactivated all plugins except WooCommerce
- activated the default Twenty Twenty-Five theme
- re-saved permalinks on the staging environment
- tested the WooCommerce password reset flow again
Result:
The password reset functionality worked correctly in this isolated environment.The reset link successfully opened the password reset form instead of returning:
“This key is invalid or has already been used.”This means the issue does not appear when only WooCommerce is active with a default WordPress theme on the cloned staging version of the same site/database.
Please let me know what you would recommend as the next best troubleshooting step from here.
Thank you again for your assistance.
Hi,
Thank you for the follow-up.
Here is the Pastebin link containing the WooCommerce System Status Report:
https://pastebin.com/1YTtda8ZHere is the screen recording showing the issue step-by-step:
[https://www.loom.com/share/ac47600ebd0c4b208ec8cf3d9f7aa867]
The recording includes:
- requesting the password reset
- receiving the reset email
- opening the generated reset link
- the resulting redirected URL
- the “This key is invalid or has already been used” error message
Thank you again for continuing to investigate this.
Thank you.
I had already generated and shared the WooCommerce System Status Report earlier via Pastebin/Snipboard along with the screenshots and reset URL behavior. I have now shared the System Status Report again via Pastebin for easier reference.
At this stage, after extensive testing and eliminating:
- theme overrides
- plugins
- code snippets
- security plugins
- caching
- server-level rewrite/CDN behavior
the issue appears increasingly tied to the existing installation database or password reset validation flow itself, especially since a fresh WordPress + WooCommerce installation on the same Hostinger account works correctly.
Thank you again for continuing to investigate this.
Thank you for the detailed response.
I followed the troubleshooting steps you suggested and wanted to share the results.
What I tested:
- Checked the active Woodmart child theme:
- no WooCommerce template overrides exist there
- functions.php only contains the default enqueue styles function
- Checked the main Woodmart theme:
- WooCommerce template overrides do exist under:
woodmart/woocommerce/myaccount/ - I temporarily disabled the entire WooCommerce override folder by renaming:
woodmart/woocommerce/ - The password reset issue still persisted
- WooCommerce template overrides do exist under:
- Checked all custom snippets in the Code Snippets plugin:
- none of the snippets modify:
lostpassword_url
retrieve_password
woocommerce_get_endpoint_url
redirects
login/account behavior
sessions
reset validation - the snippets are mainly checkout/payment related
- none of the snippets modify:
- Checked MU plugins:
- only Hostinger auto-updates plugin exists
- no login/account modifications there
- Deactivated Really Simple Security completely
- purged LiteSpeed cache
- tested in incognito/private browser
- issue still persists
- Re-saved WooCommerce account endpoints
- Re-saved permalinks multiple times
- Cleared LiteSpeed cache repeatedly
- Verified server-level behavior with Hostinger support:
- Hostinger confirmed there are no server-level caching, security, CDN, or redirect rules stripping query arguments from password reset URLs
- According to Hostinger, the issue is likely originating from the WordPress installation itself (theme/plugins/customizations/database)
- Tested using a default WordPress theme:
- same issue persisted
Current behavior:
The reset URL now appears structurally correct, for example:However, WooCommerce/WordPress still immediately returns:
“This key is invalid or has already been used.”Additional important observation:
A completely fresh WordPress + WooCommerce installation on the same Hostinger account works perfectly with password reset functionality using the same SMTP setup and same server environment.At this point, after eliminating:
- theme overrides
- child theme functions
- code snippets
- security plugin interference
- cache/CDN behavior
- SMTP/server issues
- server-level rewrite/caching issues
it increasingly appears the live installation database or user/account data may be corrupted in some way, especially related to password reset key generation/validation or user_activation_key handling.
Additional requested materials:
- WooCommerce System Status Report was shared via Pastebin
- Screenshots/screen recording showing:
- the generated reset email link
- resulting redirected URL
- invalid key message
were also shared via Snipboard.
Thank you again for the assistance.