WPS Hide Login and Wordfence conflict

Also with v. 6.0.14 – when you click save changes you just see the ajax spinning/loading without stopping. Previously I thought wordfence said settings saved. Just tested now and after 3 minutes it is still spinning.

I’ve been in contact with plugin developer of WPS Hide Login – he’s logged into this clean install and seen the problem, which he thinks is strange. He’s going do do some more checking but suggested I reach out to you, as you know your plugin better and may know what might be causing this.

Cheers

Are you also using a default theme like twentyfifteen when testing? Sometimes theme authors break ajax unintentionally, which affects Wordfence and some other plugins.

Normally, you still should see the message that settings are saved after a second or so, so that might be related. You can try visiting the ajax URL — if ajax is working, you should get a single “0” on an otherwise blank page:
yoursite.com/wp-admin/admin-ajax.php

Are you using any custom code in your .htaccess file?

I just did the ajax test and it showed 0.

I tested this on a clean install using 2015. (No custom .htaccess code)

I tested this on the test site with plugins and theme installed and it also showed 0. (custom .htaccess code)

I get the same results on both sites.

When you mentioned the ajax spinner, is that when the other plugin is disabled? (It sounds like you can’t log in when both are enabled, but I’m not sure if it’s only the login process, or if you actually get kicked out when enabling both.)

The best way to troubleshoot ajax issues is usually with the javascript console. If you see any error messages on the Console tab, they may help narrow down the issue. It can also be helpful to look at the Network tab — there, you can see how long the ajax requests take, and what they return, which may help as well.

The ajax requests probably aren’t directly related to the redirect to wp-admin not working after logging in though. Is the site multisite? And are the WordPress core files installed in a subdirectory instead of the site root?

Please forgive me, I have combined 2 questions in one. The Ajax spinner is not related to the Wordfence conflict with WPS Hide Login. I only mentioned it because this spinner issue is only new since the recent update.

So the important question is the conflict with WPS Hide Login. I have outlined all issues with this conflict above.

Thanks again

Ok, no problem. It might still be helpful to see the output of the ajax requests that happen when the spinner doesn’t stop, since it is working correctly on our test servers, and other users’ installations.

For the main issue, the other two questions may help also — is your WordPress installation multisite, or a single site? And either way, are the WP core files installed in a subdirectory (like yoursite.com/wordpress/), or just in the root of the site?

I’ve been doing some testing today – and the ajax spinner was just affecting the 1 beta test site I was using. I tested on 3 different sites and it was working fine on them.

Not sure why it kept spinning on the beta site. The only thing I can think of is that I used this site for WP nightly updates before the 4.3 upgrade. Could be related to this some how.

So the next challenge is understanding why WPS Hide Login does not play nicely with Wordfence on a completely clean install.

Really appreciate all your help so far.

Cheers

I tried this again and still can’t reproduce the problem — it works normally for me. I see that WPS Hide Login blocks /wp-admin if you’re not logged in, so there is either something going wrong with the login process, or setting the login cookie.

Do you see anything in your site’s error log file?

And when you get the 404 error after attempting to log in, can you see if you have a cookie for the site, named “wordpress_logged_in_” (followed by a bunch of letters/numbers)?

Also, when installing Wordfence, did you just leave all of the settings at the defaults? And for WordPress itself, is it a regular single-site installation? And using the standard WordPress zip file from www.remarpro.com — or a one-click install provided by a host, or a language-specific WordPress installation?

Hi Matt,

Thanks for getting back to me and testing this out on your server.

This is a completely clean install with the default settings and only the 2 plugins installed/active.

This install is from a one-click install provided by host. So I reckon it might be something to do with this. They also install and activate W3 Cache by default – which I deactivate.

Is it a security measure they might have installed on the server?

What should I ask them to see if it is something in their setup causing this?

Thanks once again.

Ok, that might be the difference. I would ask for anything else they include in their WordPress installations, aside from W3 Total Cache — there can be any number of things that they change, so if I listed a few items, I might miss something unusual that they do.

Two items you can check yourself that they may have changed:
1. Look in wp-config.php, to see if they “include” or “require” additional php files (see what is in those files, if so)
2. Check if there is a directory at wp-content/mu-plugins/ — mu-plugins are loaded automatically and don’t appear in the regular plugin list, though it would add a link that says “Must-Use” above your plugin list

Outside of WordPress itself, you might also ask if they have “mod_security” installed (it’s an Apache module), and if they use any custom rules. There are standard sets of rules, which sometimes cause problems, and anyone can make custom rules — these can block all sorts of things. The host could check mod_security’s audit log to see if your login attempts are being blocked there — if you give them your IP address and date/time/timezone of an attempted login, it should be easy for them to find.

Hope this helps — let us know what you find out.

-Matt R

Great. Thanks for the list of questions to ask/explore.

You’ve been so helpful. I really appreciate your time and efforts.

BTW I really love Wordfence – it’s the one I use and always recommend.

Cheers

Great, let us know how it goes — if there is something unusual that some hosts are starting to do, and it’s causing problems, that is good to know for us, too.

Thanks for the feedback on Wordfence, too!

-Matt R

Hi Matt,

I think I may have found the culprit – Varnish server side.

I’ve been in contact with my host and it worked for them immediately. Then I tested it, turning it on/off – and found that if I activated WPS Login before Wordfence was activated it didn’t work. But if I activated Wordfence first it did work.

Then I changed the login URL name and it didn’t work. I was getting page not found and also the following error:

ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.

I again spoke with my host support team and they said I should try disabling Varnish to see if this was causing issue. I disabled Varnish and it worked on my site with all plugins active straight away.

Once again thanks for all your support.

Cheers
D

Ok, great — glad to hear it’s working now. I have seen other issues caused by using Varnish, but this one was new to me.

-Matt R