Hi Josh, two possibilities:

(1) Saved Login that Firefox autofills

(2) Saved cookie for an ongoing (not logged out) session

For #1, you can remove saved logins for sites that are too sensitive, or you can turn off Lockwise (Firefox's built-in password manager) completely. More info starting with this article: Manage your logins with the Firefox Password Manager.

For #2, if you log out of Wordpress when you are done, then your cookie shouldn't let you back in automatically.

Was either of those the answer?

Thanks for these suggestions. Every time I'm done with Wordpress, I log out. It brings me to a screen that says "You are now logged out." It's from this same screen that I then I click "Log into Wordpress" and it brings me directly into my site without asking for a password. So, I don't think #2 is the issue.

Regarding #1, I've never deliberately saved any logins. Would Firefox save them automatically? I hasn't done so for any other website. It's only Wordpress, and it's only started yesterday.

Thanks again. I appreciate your help.

Josh

Hi Josh, it's very difficult to understand how the site would accept a blank login form!

Does it work in a private window or after clearing the site's cookies? Here's what I mean:

Private Window Test

Private windows have a separate cookie jar from regular windows, so even if there is a magic cookie that unlocks the site saved in a regular window, it should not be present in a private window. You can press Command+Shift+p to launch a new private window. (This test assumes that you didn't previously use Wordpress in a private window in the same session, or closed all existing private windows before opening the new one.)

Any difference?

Cookie Test

If you don't mind possibly erasing some preferences, could you erase your cookies on the Login page before trying to log in? You can access them by pressing Shift+F9 to open the Storage Inspector tool. Firefox should list all the cookies relevant to the current page. You can try to be selective here and only remove ones that seem related to logging in while sparing the others.

Any difference?

I had already tried clearing out the cookies. Every time I do that, I need to log in for the first time. After that first log-in, though, it seems to be stored for some reason and it doesn't ask for a password after that. At your suggestion, I tried the private window test. Same thing. I have to log-in initially, but after that I can just go right back into the site after logging out.

That said, I just tried it in Safari and the same thing is happening. Sorry, I should have tried that at first. The rep at Wordpress said he'd never seen this issue and insisted it was the browser. Now, it seems like that must not be the case. Would you agree?

I really appreciate your help. Sorry if I've taken up your time unnecessarily.

Josh

It's a very troubling feature so thanks for sharing your concern. If this is the site, wow, not good. But even though multiple browsers are affected, you might still consider whether:

• there is a third party password add-on installed in both
• both browsers connect through the same proxy server/security filter which may somehow be retaining form information

Thanks. What's the easiest way to check the add-ons and server/security filter?

You can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:

• Command+Shift+a (Windows: Ctrl+Shift+a)
• "3-bar" menu button (or Tools menu) > Add-ons
• type or paste about:addons in the address bar and press Enter/Return

In the left column of the Add-ons page, click Extensions. On the right side, find the "Manage Your Extensions" heading.

Then cast a critical eye over the list below that heading. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove). For your privacy and security, don't let mystery programs linger here.

External filters are more complicated, but sometimes if you check the certificate for a page you're viewing, it will tell you it was issued by Avast, Kaspersky, ESET, etc., which indicates your local software is a "man in the middle."

Thank you very much. I talked with Bluehost again and it seems that it was a Wordpress plug-in that was doing this, although they weren't sure which one. They just disabled all the plug-ins and the issue was gone.

This information you sent on add-ons and filters is very helpful. I'll check on these just to be safe.

Again, really grateful for your time and help.

Worst plugin ever. I suggest changing your password and checking all the users in case anyone discovered the free entry and made changes. I know I get tons of logins attempts on my blog around the clock, so it's something I'm very sensitive to.

Well, now Bluehost says its their server. First rep insisted it was the browser. Second rep insisted it was the plug-in. Third said it's not a plug-in. It's their server. So, I've lost some confidence in Bluehost. The third rep claimed they've resolved the issue.

At your suggestion, I did change the password. I don't have any other users. So, hopefully, I'm all set now.

Again, I'm grateful for all the help.