X
Stuknij, by przejść do witryny w wersji zoptymalizowanej dla urządzeń przenośnych.

Forum pomocy

Added HSTS then removed it. Now cannot login to website.

Wysłano

Added HSTS to my website then removed it and now I cannot login to website (WordPress). I have tried all the syuggestions such as...

- removing the entry from SiteSecurityServiceState.txt

- renaming SiteSecurityServiceState.txt to SiteSecurityServiceState.bak

- right-clicking site in History and selecting 'forget this site'

...but Firefox just continually repopulates SiteSecurityServiceState.txt and refuses to allow the login.

I have done each of the above suggestions several times with the same result and I am now frustrated.

Is there some other place this 'lock-out' is stored?

What to do now?

Added HSTS to my website then removed it and now I cannot login to website (WordPress). I have tried all the syuggestions such as... - removing the entry from SiteSecurityServiceState.txt - renaming SiteSecurityServiceState.txt to SiteSecurityServiceState.bak - right-clicking site in History and selecting 'forget this site' ...but Firefox just continually repopulates SiteSecurityServiceState.txt and refuses to allow the login. I have done each of the above suggestions several times with the same result and I am now frustrated. Is there some other place this 'lock-out' is stored? What to do now?

Zmodyfikowany przez Dave Manning w dniu

Wybrane rozwiązanie

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.

Przeczytaj tę odpowiedź w całym kontekście 0
Cytuj

Dodatkowe dane o systemie

Zainstalowane wtyczki

  • Shockwave Flash 32.0 r0

Aplikacja

  • Identyfikator przeglądarki: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Więcej informacji

philipp
  • Top 25 Contributor
  • Moderator
5280 rozwiązań 23327 odpowiedzi

hi, you'd need to close all running firefox instances before you attempt to edit SiteSecurityServiceState.txt , otherwise the changes won't have an effect.

hi, you'd need to close all running firefox instances before you attempt to edit ''SiteSecurityServiceState.txt '', otherwise the changes won't have an effect.
Czy ta odpowiedź okazała się pomocna? 0
Cytuj

Zadający pytanie

I did that, as the instructions on the sites explaining the process were thorough.

I did that, as the instructions on the sites explaining the process were thorough.
Czy ta odpowiedź okazała się pomocna?
Cytuj
jscher2000
  • Top 10 Contributor
8568 rozwiązań 70052 odpowiedzi

Hi Dave, using Forget About This Site should clear cache for the selected host name. Perhaps it would help to clear the entire cache: How to clear the Firefox cache.

Are you sure that no subdomains on your server are sending the strict-transport-security header, even administrative or control panel-related addresses?

Hi Dave, using Forget About This Site should clear cache for the selected host name. Perhaps it would help to clear the entire cache: [[How to clear the Firefox cache]]. Are you sure that no subdomains on your server are sending the '''strict-transport-security''' header, even administrative or control panel-related addresses?
Czy ta odpowiedź okazała się pomocna? 0
Cytuj

Zadający pytanie

I did that, as the instructions on the sites explaining the process were thorough. Cache and history are auto-cleared when browser closes and I have an app that clears everything from my computer including Windows Temp and Log files. There are no sub-domains.

I can load the site, cPanel, webmail, and FTP to the site, but the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Eliminated auto-login and filled login in manually with same results.

What bothers me is that even after "remove this site" from History and deleting entry from SiteSecurityServiceState.txt, Firefox still adds it again to SiteSecurityServiceState.txt when I attempt to login again.

I have tried every conceivable idea and still the same results. My next step is to eliminate the site completely, including database, rebuild from scratch, and see if that solves the issue.

I did that, as the instructions on the sites explaining the process were thorough. Cache and history are auto-cleared when browser closes and I have an app that clears everything from my computer including Windows Temp and Log files. There are no sub-domains. I can load the site, cPanel, webmail, and FTP to the site, but the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains. Eliminated auto-login and filled login in manually with same results. What bothers me is that even after "remove this site" from History and deleting entry from SiteSecurityServiceState.txt, Firefox still adds it again to SiteSecurityServiceState.txt when I attempt to login again. I have tried every conceivable idea and still the same results. My next step is to eliminate the site completely, including database, rebuild from scratch, and see if that solves the issue.

Zmodyfikowany przez Dave Manning w dniu

Czy ta odpowiedź okazała się pomocna?
Cytuj
jscher2000
  • Top 10 Contributor
8568 rozwiązań 70052 odpowiedzi

Dave Manning said

...the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Are you using an HTTPS URL for the site? Because if HSTS is set and you use HTTP, then you shouldn't be able to load anything without an error. And if you are using HTTPS, then I don't think HSTS is your problem.

Does that make sense?

''Dave Manning [[#answer-1238868|said]]'' <blockquote> ...the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.</blockquote> Are you using an HTTPS URL for the site? Because if HSTS is set and you use HTTP, then you shouldn't be able to load anything without an error. And if you are using HTTPS, then I don't think HSTS is your problem. Does that make sense?
Czy ta odpowiedź okazała się pomocna?
Cytuj

Zadający pytanie

Yes, it is https. The site worked fine until I added the HSTS. I could not login with the HSTS, so I eliminated it and still could not login.

Yes, it is https. The site worked fine until I added the HSTS. I could not login with the HSTS, so I eliminated it and still could not login.
Czy ta odpowiedź okazała się pomocna?
Cytuj
jscher2000
  • Top 10 Contributor
8568 rozwiązań 70052 odpowiedzi

Was HSTS added as a single new line in .htaccess or another config file, or through a control panel/application? Just wondering whether something else might have changed at the same time because as far as I know, HSTS just requires HTTPS and you have that.

Was HSTS added as a single new line in .htaccess or another config file, or through a control panel/application? Just wondering whether something else might have changed at the same time because as far as I know, HSTS just requires HTTPS and you have that.
Czy ta odpowiedź okazała się pomocna?
Cytuj
jscher2000
  • Top 10 Contributor
8568 rozwiązań 70052 odpowiedzi

By the way, is wp-login working normally in other browsers?

In case there is some Firefox setting or data file that we aren't thinking of, perhaps try:

New Profile Test

This takes about 3 minutes, plus the time to test your sites.

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the "Create a New Profile" button, then click Next. Assign a name like July2019, ignore the option to relocate the profile folder, and click the Finish button.

After creating the profile, scroll down to it and click the Launch profile in new browser button.

Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account or to activate extensions found on your system so we can get a clean test.

Does wp-login work any better in the new profile?

When you are done with the experiment, you can close the extra window without affecting your regular Firefox profile. (July2019 will remain available for future testing.)

By the way, is wp-login working normally in other browsers? In case there is some Firefox setting or data file that we aren't thinking of, perhaps try: '''New Profile Test''' This takes about 3 minutes, plus the time to test your sites. Inside Firefox, type or paste '''about:profiles''' in the address bar and press Enter/Return to load it. Click the "Create a New Profile" button, then click Next. Assign a name like July2019, ignore the option to relocate the profile folder, and click the Finish button. After creating the profile, scroll down to it and click the '''Launch profile in new browser''' button. Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account or to activate extensions found on your system so we can get a clean test. ''Does wp-login work any better in the new profile?'' When you are done with the experiment, you can close the extra window without affecting your regular Firefox profile. (July2019 will remain available for future testing.)
Czy ta odpowiedź okazała się pomocna?
Cytuj

Wybrane rozwiązanie

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.

The scenario is: I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured. A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning. On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload". So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites. I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary. Thank you for your time and assistance, jscher2000. Very much appreciated.
Czy ta odpowiedź okazała się pomocna?
Cytuj
Zadaj pytanie

Aby odpowiadać na posty, musisz zalogować się na swoje konto. Zadaj pytanie, jeśli nie masz jeszcze konta.