Could Not Validate Security Token

We’re being blocked from accessing https://www.classical-scene.com/xmlrpc.php via cURL which Jetpack requires to function.

When we run:

curl -A "Jetpack by WordPress.com" -is -H 'Content-Type: text/xml' --data '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>' 'https://www.classical-scene.com/xmlrpc.php' && echo

We simply get a blank response.

So you can check your server error logs, that particular test was reported on the server at Thu, 31 Jan 2019 20:09:12 GMT

Unfortunately, blocking XML-RPC is not a great solution for fighting security risks. It’s akin to selling your car because you don’t want it to be stolen.

Your site’s XML-RPC file is kind of like a communication gateway to your site. Jetpack, the WordPress Mobile Apps, and other plugins and services will use this file to communicate to your site. If this is blocked, you will have other issues pop-up down the road for the same reasons.

If you are using any security plugins, please try connecting with those temporarily deactivated. If you don’t have any, or if that didn’t work, I would suggest contacting your hosting provider and asking them to unblock your site’s XML-RPC. The most popular hosting providers out there have managed to find other ways to protect their servers without having to hinder your site and your ability to use services with your WordPress.

If they refuse to make any changes, and if you want to use apps and plugins like Jetpack, I’d suggest looking for a new host. Here are a few hosts we recommend: https://jetpack.com/hosting/

That’s not the problem since I already allowed xml-rpc for Jetpack (it’s was an exception for Jetpack). This came from the AIOWPS plugin. Anyway, I disabled the blocking of XML-RPC completely. So, if you try it again you will see it now works. However, Jetpack is still failing to validate the security token. By the way, the error that you see when Jetpack can’t communicate with the site through xml-rpc is not the same.
Here’s the message you get if it can’t connect:

Jetpack not connected
We were unable to find a Jetpack instance on your site. Please connect Jetpack to your WordPress.com account from within your WordPress admin.

In my case, it’s a different error (can’t validate the security token).

Not being able to validate the security token is just another type of connection error. ??

We’re still getting the empty response on cURL. If you did disable AIOWPS’s xmlrpc.php block, then something else must be blocking us.

I just tried it myself and it worked for me.

https://www.dropbox.com/s/dhri38euurueg87/xmlrpc.png?dl=0

I also tried with curl:

adapti24@usm90 # curl -A ‘Jetpack by WordPress.com’ -d ‘<methodCall><methodName>demo.sayHello</methodName></methodCall>’ https://www.classical-scene.com/xmlrpc.php
<?xml version=”1.0″ encoding=”UTF-8″?> <methodResponse> <params><param> <value> <string>Hello!</string> </value></param> </params> </methodResponse>

The file definitely works fine when viewed in browser, otherwise I would have highlighted that first.

When you ran the cURL, did the server respond with “Hello!” or just a blank response?

The query is specifically designed to return this response if xmlrpc.php if properly accessible:

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <string>Hello!</string>
      </value>
    </param>
  </params>
</methodResponse>

The XML you show is exactly what I got when I issued the Curl command.

<?xml version="1.0" encoding="UTF-8"?> <methodResponse> <params><param> <value> <string>Hello!</string> </value></param> </params> </methodResponse>

I tried it from a different Linux machine (different IP address) and I see the same XML response (with Hello!).

• This reply was modified 5 years, 10 months ago by joneiseman.
• This reply was modified 5 years, 10 months ago by joneiseman.

Hm, very odd, I can’t figure out why we aren’t seeing the same.

Alright, let’s start ruling some things out, starting with the stored data in Jetpack’s settings.

Please try deleting Jetpack specifically from the Plugins section of your blog’s Dashboard.

This will clear out Jetpack’s settings, and it may work properly after a reinstall.

Look at my original post in this thread:

I tried disabling all plugins but Jetpack still cannot connect. I tried uninstalling Jetpack and reinstalling again but that didn’t help. I tried using a really simple .htaccess file with just the minimum needed for WordPress but that also didn’t help.

Whoops, my mistake, thanks for the reminder! ??

Does your server error log report anything on this timestamp? Thu, 31 Jan 2019 23:15:23 GMT

Here’s what I see in the access log:
[31/Jan/2019:17:15:23 -0600] “POST /xmlrpc.php HTTP/1.0” 200 148 “-” “Jetpack by WordPress.com”

Well, that’s good at least. ??

Would you please list the other plugins you’re running?

I disabled all the plugins except for JetPack and GigPress and Classic Editor and I still see the problem.

It still says:
unknown_token: It looks like your Jetpack connection is broken. Try disconnecting from WordPress.com then reconnecting.

Just for the sake of checking, does it work with GigPress temporarily disabled?

I solved the problem. I found the solution here:
https://jetpack.com/support/getting-started-with-jetpack/troubleshooting-tips/

Troubleshooting tip #7 says to go to the WordPress admin panel then go to Jetpack->Dashboard->Connections->Manage Site and then click on Disconnnect. Then go through the setup process.

After doing this the site is connected again.

After making this change I could put back the blocking of xml-rpc from sites other than Jetpack (in AIOWPS) and the connection is still working.

Deleting the plugin and reinstalling did not solve the problem. I wasn’t aware of this method for disconnecting and reconnecting.

• This reply was modified 5 years, 10 months ago by joneiseman.