X
Tap here to go to the mobile version of the site.

Support Forum

Added HSTS then removed it. Now cannot login to website.

Posted

Added HSTS to my website then removed it and now I cannot login to website (WordPress). I have tried all the syuggestions such as...

- removing the entry from SiteSecurityServiceState.txt

- renaming SiteSecurityServiceState.txt to SiteSecurityServiceState.bak

- right-clicking site in History and selecting 'forget this site'

...but Firefox just continually repopulates SiteSecurityServiceState.txt and refuses to allow the login.

I have done each of the above suggestions several times with the same result and I am now frustrated.

Is there some other place this 'lock-out' is stored?

What to do now?

Added HSTS to my website then removed it and now I cannot login to website (WordPress). I have tried all the syuggestions such as... - removing the entry from SiteSecurityServiceState.txt - renaming SiteSecurityServiceState.txt to SiteSecurityServiceState.bak - right-clicking site in History and selecting 'forget this site' ...but Firefox just continually repopulates SiteSecurityServiceState.txt and refuses to allow the login. I have done each of the above suggestions several times with the same result and I am now frustrated. Is there some other place this 'lock-out' is stored? What to do now?

Modified by Dave Manning

Chosen solution

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.

Read this answer in context 0
Quote

Additional System Details

Installed Plug-ins

  • Shockwave Flash 32.0 r0

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

More Information

philipp
  • Top 25 Contributor
  • Moderator
5280 solutions 23327 answers

hi, you'd need to close all running firefox instances before you attempt to edit SiteSecurityServiceState.txt , otherwise the changes won't have an effect.

hi, you'd need to close all running firefox instances before you attempt to edit ''SiteSecurityServiceState.txt '', otherwise the changes won't have an effect.
Was this helpful to you? 0
Quote

Question owner

I did that, as the instructions on the sites explaining the process were thorough.

I did that, as the instructions on the sites explaining the process were thorough.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8569 solutions 70085 answers

Hi Dave, using Forget About This Site should clear cache for the selected host name. Perhaps it would help to clear the entire cache: How to clear the Firefox cache.

Are you sure that no subdomains on your server are sending the strict-transport-security header, even administrative or control panel-related addresses?

Hi Dave, using Forget About This Site should clear cache for the selected host name. Perhaps it would help to clear the entire cache: [[How to clear the Firefox cache]]. Are you sure that no subdomains on your server are sending the '''strict-transport-security''' header, even administrative or control panel-related addresses?
Was this helpful to you? 0
Quote

Question owner

I did that, as the instructions on the sites explaining the process were thorough. Cache and history are auto-cleared when browser closes and I have an app that clears everything from my computer including Windows Temp and Log files. There are no sub-domains.

I can load the site, cPanel, webmail, and FTP to the site, but the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Eliminated auto-login and filled login in manually with same results.

What bothers me is that even after "remove this site" from History and deleting entry from SiteSecurityServiceState.txt, Firefox still adds it again to SiteSecurityServiceState.txt when I attempt to login again.

I have tried every conceivable idea and still the same results. My next step is to eliminate the site completely, including database, rebuild from scratch, and see if that solves the issue.

I did that, as the instructions on the sites explaining the process were thorough. Cache and history are auto-cleared when browser closes and I have an app that clears everything from my computer including Windows Temp and Log files. There are no sub-domains. I can load the site, cPanel, webmail, and FTP to the site, but the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains. Eliminated auto-login and filled login in manually with same results. What bothers me is that even after "remove this site" from History and deleting entry from SiteSecurityServiceState.txt, Firefox still adds it again to SiteSecurityServiceState.txt when I attempt to login again. I have tried every conceivable idea and still the same results. My next step is to eliminate the site completely, including database, rebuild from scratch, and see if that solves the issue.

Modified by Dave Manning

Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8569 solutions 70085 answers

Dave Manning said

...the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Are you using an HTTPS URL for the site? Because if HSTS is set and you use HTTP, then you shouldn't be able to load anything without an error. And if you are using HTTPS, then I don't think HSTS is your problem.

Does that make sense?

''Dave Manning [[#answer-1238868|said]]'' <blockquote> ...the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.</blockquote> Are you using an HTTPS URL for the site? Because if HSTS is set and you use HTTP, then you shouldn't be able to load anything without an error. And if you are using HTTPS, then I don't think HSTS is your problem. Does that make sense?
Was this helpful to you?
Quote

Question owner

Yes, it is https. The site worked fine until I added the HSTS. I could not login with the HSTS, so I eliminated it and still could not login.

Yes, it is https. The site worked fine until I added the HSTS. I could not login with the HSTS, so I eliminated it and still could not login.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8569 solutions 70085 answers

Was HSTS added as a single new line in .htaccess or another config file, or through a control panel/application? Just wondering whether something else might have changed at the same time because as far as I know, HSTS just requires HTTPS and you have that.

Was HSTS added as a single new line in .htaccess or another config file, or through a control panel/application? Just wondering whether something else might have changed at the same time because as far as I know, HSTS just requires HTTPS and you have that.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8569 solutions 70085 answers

By the way, is wp-login working normally in other browsers?

In case there is some Firefox setting or data file that we aren't thinking of, perhaps try:

New Profile Test

This takes about 3 minutes, plus the time to test your sites.

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the "Create a New Profile" button, then click Next. Assign a name like July2019, ignore the option to relocate the profile folder, and click the Finish button.

After creating the profile, scroll down to it and click the Launch profile in new browser button.

Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account or to activate extensions found on your system so we can get a clean test.

Does wp-login work any better in the new profile?

When you are done with the experiment, you can close the extra window without affecting your regular Firefox profile. (July2019 will remain available for future testing.)

By the way, is wp-login working normally in other browsers? In case there is some Firefox setting or data file that we aren't thinking of, perhaps try: '''New Profile Test''' This takes about 3 minutes, plus the time to test your sites. Inside Firefox, type or paste '''about:profiles''' in the address bar and press Enter/Return to load it. Click the "Create a New Profile" button, then click Next. Assign a name like July2019, ignore the option to relocate the profile folder, and click the Finish button. After creating the profile, scroll down to it and click the '''Launch profile in new browser''' button. Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account or to activate extensions found on your system so we can get a clean test. ''Does wp-login work any better in the new profile?'' When you are done with the experiment, you can close the extra window without affecting your regular Firefox profile. (July2019 will remain available for future testing.)
Was this helpful to you?
Quote

Chosen Solution

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.

The scenario is: I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured. A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning. On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload". So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites. I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary. Thank you for your time and assistance, jscher2000. Very much appreciated.
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.