Login error on first visit when used with Google Authenticator

Hello, thanks for using Force Login!

And thanks for notifying us about a potential conflict with the Google Authenticator for WordPress plugin. However, it seems this issue may reside with the Google Authenticator plugin and not Force Login.

For one thing, their plugin hasn’t been updated in over 2 years.

The issue I have is that with both plugins enabled, on first visit to the site I am getting the error: Invalid username, email address or incorrect password.

The error message you’re seeing is probably coming from when WordPress tries to authenticate the visitor as a logged in user. See code here:
https://github.com/WordPress/WordPress/blob/9c7c11f2688f11f2f0af6927c972e0ceab77f62d/wp-includes/pluggable.php#L532-L538

And the Google Authenticator plugin is hooking onto that authenticate filter here:
https://github.com/julien731/WP-Google-Authenticator/blob/01f5bbfe787c68a00ee05dd2adbe44c486f97d78/includes/class-authenticate.php#L51

Also, Force Login does nothing unless the builtin WordPress function is_user_logged_in() returns false.

I’m going to close this ticket as I believe the issue lies with the Google Authenticator plugin. If you haven’t already, I suggest you contact the creators of that plugin to see if they know what’s going on.

Thanks!

Also, are you using another plugin or was this a mistype and you meant Force Login?

[…] but when I disable Force Members, […]

Hi Kevin,

Thanks for your thorough reply, it is much appreciated! Yes I meant ‘Force Login’ not ‘Force Members’ – sorry for confusion. I am using the Members plugin as well but that’s another story!

I am using Google Authenticator on some other sites, that don’t use Force Login and I’m not getting the issue so I’m sure that this is specific to the combination of the two – what is it specifically about the combination that may be causing it do you think?

Just because it appears to work on other sites without Force Login, does not mean the issue is not caused by Google Authenticator; but only when combined with Force Login is the limitation revealed.

Like I said before, Force Login checks if the user is logged-in (authenticated) using the builtin WordPress function is_user_logged_in() before it does anything.

However, this Google Authenticator plugin is altering how WordPress authenticates a user through hooks & filters.

I suspect the issue has something to do with how Force Login checks if is_user_logged_in() before the page loads –?but there is no fix I could make since Force Login is not what is altering how WordPress authenticates the user.

I’m not sure why this Google Authenticator plugin doesn’t work when the site checks if is_user_logged_in() –?you’ll need to ask them.

I suggest you contact the creators of that plugin to help troubleshoot this issue or try another 2FA plugin that is better maintained as their plugin hasn’t been updated in over two years.

Good luck and thanks for using Force Login!