Hi People,
I got an urgent issue, I run a heavily trafficated membership site and the password request link has stopped working after the update to wordpress 3.7 (3.7.1 and 3.8)
The site has a custom built front end handling of Registration, Login, Forgotten Password and User profiles.
When a user tries to use the forgotten password form everything works fine, the email get sent to the user but when the user click the key reset link found in the mail they get sent back to our sites backend login (wp-login) and the page includes the error message:
"Sorry, that key does not appear to be valid."
I believe this issue is caused by the updates of wordpress 3.7 and the expirations of password key resets.
wp-login.php:
/**
* Filter the life span of the post password cookie.
*
* By default, the cookie expires 10 days from creation. To turn this
* into a session cookie, return 0.
*
* @since 3.7.0
*
* @param int $expires The expiry time, as passed to setcookie().
*/
$expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH );
wp_safe_redirect( wp_get_referer() );
exit();
break;
case 'logout' :
check_admin_referer('log-out');
wp_logout();
$redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?loggedout=true';
wp_safe_redirect( $redirect_to );
exit();
break;
case 'lostpassword' :
case 'retrievepassword' :
if ( $http_post ) {
$errors = retrieve_password();
if ( !is_wp_error($errors) ) {
$redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : 'wp-login.php?checkemail=confirm';
wp_safe_redirect( $redirect_to );
exit();
}
}
if ( isset( $_GET['error'] ) ) {
if ( 'invalidkey' == $_GET['error'] )
$errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
elseif ( 'expiredkey' == $_GET['error'] )
$errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
}
$lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
I have tried disabling all plugins so I know for a certainty that this is not plugin related.
Here is my page template that handles forgotten passwords:
<?php
/*
Template Name: User Forgotten
*/
?>
<div class="user-container-forgotten">
<div class="user-form">
<?php get_template_part('templates/page', 'header'); ?>
<?php get_template_part('templates/content', 'page'); ?>
<p class=""><?php _e('Please enter your username or email address. You will receive a link to create a new password via email.', GT_TEXT_DOMAIN ); ?></p>
<?php if( isset($_REQUEST['error']) ) { ?>
<p class="message alert alert-error"><?php echo base64_decode( urldecode($_REQUEST['error']) ); ?></p>
<?php } ?>
<?php if( isset($_REQUEST['success']) ) { ?>
<p class="message alert alert-success"><?php echo base64_decode( urldecode($_REQUEST['success']) ); ?></p>
<?php } ?>
<label for="user_login"><?php _e('Username or E-mail:', GT_TEXT_DOMAIN ); ?></label>
<form class="form-inline" name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url('wp-login.php?action=lostpassword', 'login_post'); ?>" method="post">
<input type="text" name="user_login" id="user_login" class="text text-forgotten" value="" size="20" tabindex="10">
<input type="hidden" name="redirect_to" value="">
<button type="submit" name="wp-submit" id="wp-submit" class="btn btn-large btn-primary"><?php _e('Get New Password', GT_TEXT_DOMAIN ); ?></button>
</form>
<p class="links-forgotten">
<a href="<?php echo get_permalink($options['user_login_page']); ?>"><?php _e('Login', GT_TEXT_DOMAIN ); ?></a> |
<a href="<?php echo get_permalink($options['user_registration_page']); ?>"><?php _e('Register', GT_TEXT_DOMAIN ); ?></a>
</p>
</div>
</div>
Has there been any changes in hooks for retrieving passwords since wordpress 3.7?
I would be very greatful if someone could help with an answer that solve my users password reset issue.
Thanks.
Arnav Joy answers:
try this functions.php file
<?php
@ob_start();
/*-----------------------------------------------------------------------------------*/
/* Load Framework */
/*-----------------------------------------------------------------------------------*/
require_once ( get_template_directory() . '/framework/framework-functions.php' );
/*-----------------------------------------------------------------------------------*/
/* GoodJobs Themes Base Theme */
/* Version: 1.0.0 */
/* Roots: 6.3.0 */
/*-----------------------------------------------------------------------------------*/
/*-----------------------------------------------------------------------------------*/
/* Base Theme Includes */
/*-----------------------------------------------------------------------------------*/
require_once locate_template( '/lib/utils.php' ); // Utility functions
require_once locate_template( '/lib/config.php' ); // Configuration
require_once locate_template( '/lib/cleanup.php' ); // Cleanup
require_once locate_template( '/lib/nav.php' ); // Custom nav modifications
require_once locate_template( '/lib/comments.php' ); // Custom comments modifications
require_once locate_template( '/lib/scripts.php' ); // Scripts and stylesheets
require_once locate_template( '/lib/sidebar.php' ); // Sidebar class
/*-----------------------------------------------------------------------------------*/
/* Load Application */
/*-----------------------------------------------------------------------------------*/
require_once ( get_template_directory() . '/app/app-functions.php' );
/*-----------------------------------------------------------------------------------*/
/* Short codes in widget and no admin bar */
/*-----------------------------------------------------------------------------------*/
add_filter(‘widget_text’, ‘do_shortcode’);
add_filter('show_admin_bar', '__return_false');
/*-----------------------------------------------------------------------------------*/
/* Locations user meta field on registration form RCP */
/*-----------------------------------------------------------------------------------*/
function pippin_add_location_field() {
?>
<p>
<label for="rcp_location"><?php _e('Nationality', 'rcp'); ?></label>
<input name="rcp_location" id="rcp_location" class="text input-xlarge input-block-level" type="text"/>
</p>
<?php
}
add_action('rcp_after_password_registration_field', 'pippin_add_location_field');
function pippin_save_location($posted, $user_id) {
if($posted['rcp_location']) {
update_user_meta($user_id, 'rcp_location', $posted['rcp_location']);
}
}
add_action('rcp_form_processing', 'pippin_save_location', 10, 2);
function pippin_add_table_header_footer() {
?>
<th class="rcp-location-col"><?php _e('Location', 'rcp'); ?></th>
<?php
}
add_action('rcp_members_page_table_header', 'pippin_add_table_header_footer');
add_action('rcp_members_page_table_footer', 'pippin_add_table_header_footer');
function pippin_add_row($user_id) {
?>
<td><?php echo get_user_meta($user_id, 'rcp_location', true); ?></td>
<?php
}
add_action('rcp_members_page_table_column', 'pippin_add_row');
Millen comments:
No luck with that function.php either Arnav.
Fahad Murtaza answers:
Are you by any chance using theme my login plugin?
Fahad Murtaza comments:
OK, I see you have disabled all plugins and its a part of theme only.
Fahad Murtaza comments:
Please provide your functions.php.
Fahad Murtaza comments:
If its not the plugin ( considering ALL your plugins are disabled), its in your functions.php file.
wp-login.php changes mean you have edited the core. Are you sure nothing else is edited in the core?
Fahad Murtaza comments:
And one more question. Is it a wordpress multisite installation?
Millen comments:
<?php
/*-----------------------------------------------------------------------------------*/
/* Load Framework */
/*-----------------------------------------------------------------------------------*/
require_once ( get_template_directory() . '/framework/framework-functions.php' );
/*-----------------------------------------------------------------------------------*/
/* GoodJobs Themes Base Theme */
/* Version: 1.0.0 */
/* Roots: 6.3.0 */
/*-----------------------------------------------------------------------------------*/
/*-----------------------------------------------------------------------------------*/
/* Base Theme Includes */
/*-----------------------------------------------------------------------------------*/
require_once locate_template( '/lib/utils.php' ); // Utility functions
require_once locate_template( '/lib/config.php' ); // Configuration
require_once locate_template( '/lib/cleanup.php' ); // Cleanup
require_once locate_template( '/lib/nav.php' ); // Custom nav modifications
require_once locate_template( '/lib/comments.php' ); // Custom comments modifications
require_once locate_template( '/lib/scripts.php' ); // Scripts and stylesheets
require_once locate_template( '/lib/sidebar.php' ); // Sidebar class
/*-----------------------------------------------------------------------------------*/
/* Load Application */
/*-----------------------------------------------------------------------------------*/
require_once ( get_template_directory() . '/app/app-functions.php' );
/*-----------------------------------------------------------------------------------*/
/* Short codes in widget and no admin bar */
/*-----------------------------------------------------------------------------------*/
add_filter(‘widget_text’, ‘do_shortcode’);
add_filter('show_admin_bar', '__return_false');
/*-----------------------------------------------------------------------------------*/
/* Locations user meta field on registration form RCP */
/*-----------------------------------------------------------------------------------*/
function pippin_add_location_field() {
?>
<p>
<label for="rcp_location"><?php _e('Nationality', 'rcp'); ?></label>
<input name="rcp_location" id="rcp_location" class="text input-xlarge input-block-level" type="text"/>
</p>
<?php
}
add_action('rcp_after_password_registration_field', 'pippin_add_location_field');
function pippin_save_location($posted, $user_id) {
if($posted['rcp_location']) {
update_user_meta($user_id, 'rcp_location', $posted['rcp_location']);
}
}
add_action('rcp_form_processing', 'pippin_save_location', 10, 2);
function pippin_add_table_header_footer() {
?>
<th class="rcp-location-col"><?php _e('Location', 'rcp'); ?></th>
<?php
}
add_action('rcp_members_page_table_header', 'pippin_add_table_header_footer');
add_action('rcp_members_page_table_footer', 'pippin_add_table_header_footer');
function pippin_add_row($user_id) {
?>
<td><?php echo get_user_meta($user_id, 'rcp_location', true); ?></td>
<?php
}
add_action('rcp_members_page_table_column', 'pippin_add_row');
Millen comments:
No it is not a multisite installation. This is a normal wordpress installation.
Millen comments:
Nothing is edited in the core.
Millen comments:
Nope.
Fahad Murtaza comments:
OK
In your wp-config.php file, please add new keys. Generate them via
http://api.wordpress.org/secret-key/1.1/
For future references and people looking for similar solutions, more info is copied below:
Setting up your secret keys is easy. All you have to do is to add these lines to the wp-config.php file, right after the other define statements:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
You'll find these lines in the wp-config-sample.php file as well.
These unique phrases should be something long and random. Anything 60+ characters and relatively random will do, it doesn't matter what it is. However, they should each be different. In other words, you need four phrases, not one.
WordPress has created a generator for these lines to assist people in creating good ones. Go to this site, and copy and paste the result into your wp-config file:
http://api.wordpress.org/secret-key/1.1/
Millen comments:
This does not work.
I tried adding new ones to the wp-config-php and also filling in the already existing once. None of it worked I afraid.
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
Millen comments:
I also generated they keys, just to clerify for you:
define('AUTH_KEY', 'P#<-o54wnmo:1YLK;B;2aXD.?tkOHG9[V* 8YE+x~8NrVmS6p_m+q=S/(OI}}A-.');
define('SECURE_AUTH_KEY', '=6H[.Fz)S,QCI7C-47n9yoj;kN|d-A.[QM&EexkX+ZPC$PvEemp O$;}9XThN-_X');
define('LOGGED_IN_KEY', '/UHT14+:hBqF</{T6UK[d`kfkVD i:-_bgG}+PQi~~oPZ%F?0K7/9xcR$6O_$:=A');
define('NONCE_KEY', 'e?uR.6#f6)<aGS5moG5IFCYW}1D9rz-%{]|EJJs-f;3417{Cxk;rgUkfgkIPb^H]');
Just Me answers:
Did you debug the code, check some values to see which route the system is taking in the code?
Millen comments:
I am not very familiar with debugging.
I added this to my wp-config.php:
// Enable WP_DEBUG mode
define('WP_DEBUG', true);
// Enable Debug logging to the /wp-content/debug.log file
define('WP_DEBUG_LOG', true);
I get this message when trying to request my password now... from the /forgotten password page.
Notice: bbp_setup_current_user was called incorrectly. The current user is being initialized without using $wp->init(). Please see Debugging in WordPress for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 415
Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 427
Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-includes/pluggable.php on line 896
Millen comments:
this is the debug.log
[05-Jan-2014 10:41:59 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:41:59 UTC] PHP Notice: Use of undefined constant ‘widget_text’ - assumed '‘widget_text’' in /home/gradjobs/public_html/wp-content/themes/goodjobs/functions.php on line 37
[05-Jan-2014 10:41:59 UTC] PHP Notice: Use of undefined constant ‘do_shortcode’ - assumed '‘do_shortcode’' in /home/gradjobs/public_html/wp-content/themes/goodjobs/functions.php on line 37
[05-Jan-2014 10:43:42 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:02 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:09 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:09 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 415
[05-Jan-2014 10:44:09 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 427
[05-Jan-2014 10:44:09 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-includes/pluggable.php on line 896
[05-Jan-2014 10:44:59 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 415
[05-Jan-2014 10:44:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 427
[05-Jan-2014 10:44:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-includes/pluggable.php on line 896
Millen comments:
this is the debug.log
[05-Jan-2014 10:41:59 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:41:59 UTC] PHP Notice: Use of undefined constant ‘widget_text’ - assumed '‘widget_text’' in /home/gradjobs/public_html/wp-content/themes/goodjobs/functions.php on line 37
[05-Jan-2014 10:41:59 UTC] PHP Notice: Use of undefined constant ‘do_shortcode’ - assumed '‘do_shortcode’' in /home/gradjobs/public_html/wp-content/themes/goodjobs/functions.php on line 37
[05-Jan-2014 10:43:42 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:02 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:09 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:09 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 415
[05-Jan-2014 10:44:09 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 427
[05-Jan-2014 10:44:09 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-includes/pluggable.php on line 896
[05-Jan-2014 10:44:59 UTC] PHP Notice: bbp_setup_current_user was called <strong>incorrectly</strong>. The current user is being initialized without using $wp->init(). Please see <a href="http://codex.wordpress.org/Debugging_in_WordPress">Debugging in WordPress</a> for more information. (This message was added in version 2.3.) in /home/gradjobs/public_html/wp-includes/functions.php on line 3049
[05-Jan-2014 10:44:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 415
[05-Jan-2014 10:44:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-login.php on line 427
[05-Jan-2014 10:44:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/gradjobs/public_html/wp-includes/functions.php:3049) in /home/gradjobs/public_html/wp-includes/pluggable.php on line 896
Just Me comments:
the "headers already sent" messages could indicate you have empty lines at the top or the bottom of the files involved in this operation.
Hariprasad Vijayan answers:
Hello,
Are you getting 3(action,key and login) parameters in password reset link? Password reset link should be like,
http://yoursite.com/wp-login.php?action=rp&key=password_reset_key&login=user_name
Millen comments:
Yes that's exactly how the password reset links looks like in the recived email
Hariprasad Vijayan comments:
Is there is any Suspicious Query Strings filter code in your .htsccess? Can you show your .htaccess file.
Hariprasad Vijayan comments:
Is there is any security plugin in your site which enables filter suspicious query string?
Millen comments:
Here is my .htaccess file:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?uploads/wpjobboard/application/(.+) /wp-content/plugins/wpjobboard/restrict.php?url=application/$2 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Millen comments:
"Is there is any security plugin in your site which enables filter suspicious query string?"
I do not have any plugins installed right now.
Hariprasad Vijayan comments:
http://codex.wordpress.org/FAQ_Troubleshooting#How_do_I_solve_the_Headers_already_sent_warning_problem.3F
Might be helpful
Millen comments:
Just to clarify, my the emails are sent out. It's the actual link that has expired.
Hariprasad Vijayan comments:
Try this,
- switching to the default theme to rule out any theme-specific problems.
- re-uploading all files & folders - except the wp-content folder and wp-config.php & root .htaccess files - from a fresh download of WordPress. Make sure that you delete the old copies of files & folder before uploading the new ones.
Check this : http://wordpress.org/support/topic/login-credentials-and-password-reset-not-working
Hope it will solve the issue.
Please keep complete backup in your local system.
Millen comments:
I am already aware of that this is theme related.
I have already switched to the twenty thirteen and the password request works fine than.
The question is how can I get my current themes frontend password request to work again?
Hariprasad Vijayan comments:
Do you have a customized page for set up new password?(I mean the page that navigating from email link). Or it work on default WordPress' password reset page?