WP Cerber breaks password protected content

Hi!

Do you use Custom login URL feature? Could you reproduce the issue with the default plugin settings?

Hi Gioni, thanks for your reponse. Indeed, I am using a custom login URL. I’m seeing lots of probes to the standard login URL and being able to configure a custom URL is a great feature. That said, removing the custom login URL /does/ fix the issue with the password protected page.

To clarify, suppose my custom URL is ‘/abc’, then the protected page form will POST to ‘/abc/?action=postpass’. However, instead of redirecting to the protected page, this URL just shows the WP login dialog.

Do you use the built-in WordPress protection by enabling Visibility: Password Protected on the page edit screen? I was unable to reproduce the issue.

Yes, that’s exactly what I did. I can reproduce it on a freshly deployed WP 4.9.4 with the stock theme and no plugins beside WP Cerber: https://marimba.me/dicht/
Password = “open”. For me, it lands on https://marimba.me/at6yie9x/?action=postpass where https://marimba.me/at6yie9x is the custom URL configured in WP Cerber.

It works as expected as soon as I remove that custom URL.

Anything else I can try?

That’s weird. Have you tried to use a different browser? Incognito mode?

1. Enable traffic logging if it’s disabled (Logging mode = Smart).
2. Try to submit password on the protected page.
3. Go to the Live traffic admin page.
4. Find a related log record by entering “postpass” in the “URL contains” field on the Advanced search form.
5. You should find: “POST HTTP 302 Found” for your request.

Yes, I’m using incognito mode to prevent it from picking up my session. I didn’t notice any difference between Chrome and Firefox.

With the custom URL configured, the response is “POST HTTP 200 OK”.

After removing the custom URL, the response is indeed “POST HTTP 302 Found”.

There is one other difference: response details shows “Get fields: / action | postpass” in case it works. When the custom URL is active, the “Get fields” section is not present.

That means with the custom login URL enabled there is no “?action=postpass” in the password form action URL. Could you check it by viewing the source code of the protected page?

That was one of the first things I checked, actually, quoting my initial post:

The form will POST to wp-login.php?action=postpass, setting the referrer field to the protected page. I can confirm this is all set properly using the developer tools.

When WP Cerber is active, the login page does not redirect as it should. I’m stuck at the login page with the location showing wp-login.php?action=postpass.

So, the parameter is present in the URL but gets filtered out somewhere.