hi, you'd need to close all running firefox instances before you attempt to edit SiteSecurityServiceState.txt , otherwise the changes won't have an effect.

I did that, as the instructions on the sites explaining the process were thorough.

Hi Dave, using Forget About This Site should clear cache for the selected host name. Perhaps it would help to clear the entire cache: How to clear the Firefox cache.

Are you sure that no subdomains on your server are sending the strict-transport-security header, even administrative or control panel-related addresses?

I did that, as the instructions on the sites explaining the process were thorough. Cache and history are auto-cleared when browser closes and I have an app that clears everything from my computer including Windows Temp and Log files. There are no sub-domains.

I can load the site, cPanel, webmail, and FTP to the site, but the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Eliminated auto-login and filled login in manually with same results.

What bothers me is that even after "remove this site" from History and deleting entry from SiteSecurityServiceState.txt, Firefox still adds it again to SiteSecurityServiceState.txt when I attempt to login again.

I have tried every conceivable idea and still the same results. My next step is to eliminate the site completely, including database, rebuild from scratch, and see if that solves the issue.

Dave Manning said

...the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Are you using an HTTPS URL for the site? Because if HSTS is set and you use HTTP, then you shouldn't be able to load anything without an error. And if you are using HTTPS, then I don't think HSTS is your problem.

Does that make sense?

Yes, it is https. The site worked fine until I added the HSTS. I could not login with the HSTS, so I eliminated it and still could not login.

Was HSTS added as a single new line in .htaccess or another config file, or through a control panel/application? Just wondering whether something else might have changed at the same time because as far as I know, HSTS just requires HTTPS and you have that.

By the way, is wp-login working normally in other browsers?

In case there is some Firefox setting or data file that we aren't thinking of, perhaps try:

New Profile Test

This takes about 3 minutes, plus the time to test your sites.

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the "Create a New Profile" button, then click Next. Assign a name like July2019, ignore the option to relocate the profile folder, and click the Finish button.

After creating the profile, scroll down to it and click the Launch profile in new browser button.

Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account or to activate extensions found on your system so we can get a clean test.

Does wp-login work any better in the new profile?

When you are done with the experiment, you can close the extra window without affecting your regular Firefox profile. (July2019 will remain available for future testing.)

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.