Can’t log in unless I manually disable AIO Security!

Please do some plugin and theme conflict tests to see which of these is clashing with the aiowps plugin.
Let me know what you find.

The theme hasn’t been changed at all since it was working (or in the last few years).

I just disabled every plugin except for AIOWPS, and the behavior did not change. The problem seems to be isolated to AIOWPS, or some conflict it’s having with my server (i.e. my host may have done something recently that breaks the login page redirect feature, but I don’t know how to tell if that’s the case).

Hi,
Upon inspection of your server response via the browser dev tools I see that your server is returning a “403 forbidden” response.
This probably explains why the issue is occurring.

Maybe something in your .htaccess file is causing the blocking?
(check to see which firewall rules you have enabled and try a test by removing all .htaccess code except the standard wordpress directives)

It’s not something in .htaccess, because if I rename the AIOWPS directory, I can log in just fine. It seems that some change in my VPS configuration during the last 8-9 days has broken AIOWPS’ method of masking the login URL. I’ve submitted a ticket with DreamHost to see if they can help. If not, I’ll have to manually hack the database to disable the URL redirect feature in AIOWPS (or delete it entirely and reconfigure it from scratch, which I’d really rather not do).

Another site on my server also uses AIOWPS, and is giving me a 404 error for the login page, but it uses the Honeypot protection instead of the secret URL protection, and disabling the plugin did NOT solve that problem. If Dreamhost can’t help me, I’m pretty sure I’m going to have to nuke the AIOWPS .htaccess settings to get back in.

@eharris – Have you tried turning on debugging to see if you can actually catch what that error is?

Mika – I’ve tried running the Firefox debugger, looking at the Inspector, Console, and Debugger tabs, and I’m not seeing anything obvious. I’m also not familiar enough with using the debugger for anything other than inspecting HTML/CSS code to really know how to use it well. If you’re intimately familiar with debugging tools, might you be willing to take a quick look using the URL and login info shared in my original post?

WPSolutions – DreamHost tech support looked at the page and said that it appears to be just refreshing with no attempt to authenticate, noted a logged error saying the client was denied by the server, suggested deleting something from .htaccess (gonna try that in a minute), and asked if the plugin author had any idea. Here’s the relevant section from the tech support reply:

When I navigate to ‘https://www.kungfu-silat.com/cimadmin/’ and attempt to
login it, it looks like it refreshes the pages and does not even try to
authenticate. I would enter random characters in both the username &
password field and it would do the same thing. It does not even notify
the username/password is incorrect. I also watched the error.log every
time I would try to login at ‘https://www.kungfu-silat.com/cimadmin/’ and
these were the entries in the error.log:

Thu Oct 04 11:42:38 2018] [error] [client] client denied by server
configuration: /[server path]/cimadmin, referer:
https://www.kungfu-silat.com/cimadmin
[Thu Oct 04 11:43:17 2018] [error] [client] client denied by server
configuration: /[server path]/cimadmin, referer:
https://www.kungfu-silat.com/cimadmin/

These errors are indicating there is a condition in your .htaccess that
is preventing the authentication. Possibly the following lines in your
.htaccess is what is preventing authentication?

44 <Files wp-config.php>
45 <IfModule mod_authz_core.c>
46 Require all denied
47 </IfModule>

Would it be possible to comment out lines 44-47 to see if that helps? You
may also want to inquire with ‘all-in-one-wp-security-and-firewall’ as to
why when their plugin was deactivated, authentication works fine.

WPSolutions – I disabled ALL of the AIOWPS items in .htaccess and I was able to log in just fine (disabling just the section suggested by DreamHost tech support–extending to the </Files> marker–did not do anything). Once I logged in, I accepted the offer to add all of the rules back IN to the .htaccess file, and I’m still logged in…

but now I can’t log out, which appears to be the same problem (logging out just redirects me back to my WordPress dashboard). If I try going to my admin page in a different browser, I can’t log in.

I figured it out! I’ve got an always-on FIOS Internet connection, and I had completely forgotten that I set a login IP whitelist on two of my four WP sites.

It turns out that my IP address changed sometime within the last 3 weeks! In other words, the “problem” is that AIOWPS was working exactly as designed.

Thanks WPSolutions and Mika for trying to help. It turns out that there was no actual problem all along.