Multisite privacy password protect site broken

I have password protect site activated for the http://wp2.nyu.edu/test/ and the password is "hello" but this doesn't work since on trying to login in to the site it get's redirected with no data received. I tried this on different servers and installations but it gives the same error on all sites.

  • Web Publishing
    • Design Lord, Child of Thor

    Hi Patrick,

    It works upto the login page only. After this when you try entering the password, it will give you a redirect error. You can try logging into the site using the password "hello". You will be able to reflect the error I am facing. I have tried clearing the cache, using different browsers and different machines as well. But nothing seemed to be working.

  • Patrick
    • Support Monkey

    Hi again @NYU WP

    I hope you are well today!

    Terribly sorry for the delay on this topic. Concerns for family health issues have kept me away from the forums quite a bit lately.

    I just installed and tested on both subdirectory and subdomain installs and the plugin does work as expected on my tests.

    But I just took another look at your site and realize that your main site ( http://wp2.nyu.edu/ ) is a mapped site hosted at WP-Engine, correct?

    That's a configuration with which I have little experience. So I'll need to call in bigger guns to help figure this one out. Shan't be long... :slight_smile:

  • Web Publishing
    • Design Lord, Child of Thor

    Hi Patrick,

    Yes, wp2.nyu.edu is hosted at WP-Engine. But the problem is consistent on another hosting environment of ours also. This is an in-house hosting server here at NYU and password protect site feature breaks the site on all our instances of wordpress.

  • Hoang Ngo
    • Code Slayer

    Hi @NYU WP,

    I hope you are well today and I'm sorry about the issue.

    Your settings are pretty fine. I'm sorry for this inconvenience, but can you please send the access to your site via our contact form, select "I have a different question", this ensures it comes through and gets assigned to me.

    The content will be:
    - Mark to my attention - ATTN: Hoang Ngo
    - Link back to this thread
    - Include admin/network access
    - Include cPanel (I will need to look at the DB so need PHPMyAdmin or similar)
    - Include FTP
    - Include any relevant URLS for your site

    This way i can enable the logs, which will give me more information.

    Thanks and Regards
    Hoang

  • Hoang Ngo
    • Code Slayer

    Hi @NYU WP,

    I hope you are well today and I'm very sorry about the delay.

    We haven't forgot this issue, as you can see when we type the password, the site stopped display the "No Data Received".

    Let me explain the situation, because your site is using wpengine, and I believe they have some hooks run very soon, which make the plugin can not work properly.

    I'm still tracing the bug, and will fix that soon.

    Thanks for your patience.

    Best Regards,
    Hoang

  • Web Publishing
    • Design Lord, Child of Thor

    Hi Hoang,

    I hope someone from the team is still working on this issue.

    I have been trying to work with WPEngine as well to see if they can help in identifying the issue and help fixing it. In order to do so I will appreciate if you could give me more information on the exact situation here of what is causing the issue on the wordpress installation and how does the plugin work technically.

    We would also like to know that where exactly does the plugin store password in the database? Does it store it in the "options" table (example "wp_2_options") of that particular site's tables, under the field "blog_pass"?

  • Hoang Ngo
    • Code Slayer

    Hi @NYU WP,

    I hope you are well today and I'm sorry about the delay.

    I have digging the issue, and many case the WPEngine cache has cause this issue.

    Could you please temporarily turn it off by edit the wp-config.php.

    Please find this line
    define('WP_CACHE',TRUE);

    And update it to
    define('WP_CACHE',FALSE);
    Let see does it help.

    We would also like to know that where exactly does the plugin store password in the database? Does it store it in the "options" table (example "wp_2_options") of that particular site's tables, under the field "blog_pass"?

    Yes, the password is store in table _options, under the fields "spo_settings", as an array. You can get it by

    $settings =  get_option('spo_settings');
    $pass = $settings['blog_pass'];

    If you have any issues please don't hesitate to let us know so we can assist

    Best regards,
    Hoang

  • Web Publishing
    • Design Lord, Child of Thor

    Okay, I tried turning off the Cache, however it still doesn't work. The Site identifies the correct password since if you enter an incorrect password it shows an error Incorrect Password.
    While if you enter the correct password, it throws you back to the password entering page saying Authorization Required to view the blog. However the strange thing I noticed is that when you enter the wrong password the limit login attempts count drops everytime by 1 count. But when you enter the correct password, you get to the same page of asking password and the limit login attempts count drops by 2 counts.

    I checked the database and the password for the blog is stored in the option name "spo_settings" field with the correct password stored in the option value = "a:1:{s:9:"blog_pass";s:6:"hello1";}".

    Just wanted to know does option name "blog_pass" have to do anything with this plugin since it has option value = "<null>"?

  • Hoang Ngo
    • Code Slayer

    Hi @NYU WP,

    I hope you are well today.

    I'm not sure the option name "blog_pass" come from which plugins, but the plugin don't have any option like that.

    The password now working for me, as you can see in my screenshot. Can you please clear your cache, or use another browser for do a quick test ?

    Best regards,
    Hoang

  • Web Publishing
    • Design Lord, Child of Thor

    Hi Hoang,

    Yes, the password protect site works fine now but that was after WPEngine team turned off caching from their end for that particular site on request. We do not have direct access to turn caching on or off for a site on our end.

    I understand this is something with the specific hosting environment and not a plugin issue, however can you try to dig in a little more to fix the issue leaving the caching on, if possible?

    Since we have a service where our users will have to ability to activate and use this plugin feature at their discretion and we wont be able to request WPEngine all the time to turn caching off for particular sites. Also it will affect the site load speed if caching is turned off completely.

  • Hoang Ngo
    • Code Slayer

    Hi @NYU WP,

    I hope you are well today and I'm sorry about the delay.

    Actually, there's noway to disable the cache of WP-Engine. And I has re-enable the cache parameter.

    I also found out that WP-Engine allow you to put a params or url to exclude from the cache. In this case, you can ask them to exclude the parameter "privacy" for prevent caching the password login page.

    Unfortunately, we don't have tools to update that by ourself, this function can only update by WP-Engine guys, so a ticket to them will be necessary.

    Please try this and let us update :slight_smile:

    Best regards,
    Hoang

  • Laura
    • Flash Drive

    Hi @Ashok -- yes, using WPEngine. They were able to put in a fix for specific sites, but unable to make a multisite solution that would not require a ticket and manual fix for every site that wants to use this plugin on my network.

    They asked if I would get in touch with you all to see if there were any updates or other movements on your end -- would you like the contact info of the person I spoke with?

    Thanks!
    Laura

  • Laura
    • Flash Drive

    Hi @NYU WP -- so sorry to hear that news! I'm working with American University's installation of Wordpress for students/faculty/staff, and I'm sure we both need as many privacy options as possible.

    Any way we can unite our university forces together and come up with a solution (or lean on WPMUDev/WPEngine to work something out)?

  • S H Mohanjith
    • Developer

    Unfortunately there isn't anything we can do on the WPMU DEV plugin code side to fix this.

    On CampusPress, our hosting service for universities, we have set cache so it will not cache requests to wp-login.php or at least based on the 'privacy' GET variable. It really is something they will have to be willing to change Multisite wide.

  • Laura
    • Flash Drive

    Hi @NYU WP -- we have a solution!

    You can contact Alexander Shenkar at WPEngine, or refer to my ticket (#246294) and reference install auctrl as an example of how to do it.

    Here is the nginx before rule he added:

    if ( $http_cookie ~* "spo_blog_access" ) {
    add_header X-Type "nocachecookie";
    proxy_pass http://localhost:6789;
    }

    Thanks!
    Laura

  • Web Publishing
    • Design Lord, Child of Thor

    Hi @Michael Bissett, @Laura,

    Thanks for pointing this solution. We will definitely contact wpengine and try to resolve it for us as well using your solution. Thanks for your help.

    Michael, we haven't tried it yet but will update you once done.

    Thanks,
    NYU WP

  • Laura
    • Flash Drive

    Hello again,
    Seems that an update has upset the apple cart again -- this time with Limit Login Attempts (also mentioned on these posts: https://premium.wpmudev.org/forums/topic/bug-in-multisite-privacy-plugin-using-password-option ).

    I've been working with WPEngine on this, and they recommended contacting WPMUdev with the following (Ticket #304930):

    "Unfortunately, it looks like this is also happening in staging, which means that this isn't a caching issue currently.
    I've checked into the history of this and saw that we were able to get this working with some caching exemptions, but unfortunately, that doesn't appear to be the root of the problem anymore.
    In staging, I also disabled all the plugins on the network side and on /facultysenate (except for Multisite Privacy) and the issue persists. I then set the theme to Twenty Fourteen, but this also didn't help. The root of the issue looks like the redirect that this is setting up.
    To help get a better understanding of this, I activated the WordPress Access Control plugin and configured it for /facultysenate to see how this handles the login page and it's not having the same problem.

    I'd recommend contacting the developer to let them know that there is an example of this type of functionality that doesn't conflict with Limit Login Attempts."

    This is in response to the following:

    "Submitting the correct password in Chrome or Firefox will not take me behind the password screen (it also deducts TWO attempts per submission). The issue does not occur in Safari.

    However, the following work around fixes the issue: in chrome or firefox,
    after having made one attempt with correct password, the browser returns
    the following URL (
    https://edspace.american.edu/facultysenate/wp-login.php?privacy=4&redirect_to=http%3A%2F%2Fedspace.american.edu%2Ffacultysenate%2F&wpe-login=auctrl
    ). when I erase everything that comes after "... faucltysenate/" in the
    URL (i.e. https://edspace.american.edu/facultysenate/) the browser returns
    the correct website and I can access the site as expected."

    Any suggestions?
    Thanks!
    Laura

  • Michael Bissett
    • Recruit

    Hey @Laura,

    It'd be good if we could have a closer look at what's going on here, could you please send in the following:

    - Mark to my attention, the subject line should contain only: ATTN: Michael Bissett
    - Do not include anything else in the subject line, doing so may delay our response due to how email filtering works.
    - Link back to this thread
    - Include WordPress network admin access details (for the staging site)
    - Include SFTP log-in details (for the staging site)
    - Include any relevant URLs for your site

    On the contact form, select "I have a different question", this ensures it comes through and gets assigned to me.

    https://premium.wpmudev.org/contact/

    Thanks! :slight_smile:

    Kind Regards,
    Michael

    • Laura
      • Flash Drive

      None so far, but thanks for the points @WPMS! It seems to be a crazy loop with permissions and denials on all fronts (especially since we have https and a URL redirect from our WPEngine domain). I'll be in touch as soon as I hear anything productive...

      Were you able to have WPEngine add the following to your installation?

      The nginx rule:
      if ( $http_cookie ~* "spo_blog_access" ) {
      add_header X-Type "nocachecookie";
      proxy_pass http://localhost:6789;
      }

      That helped solve most issues for us. Additionally, you can try this free plugin: https://wordpress.org/plugins/wordpress-access-control/ for some of the options

  • Michael Bissett
    • Recruit

    Hey @Laura, @WPMS.Network! :slight_smile:

    Thanks to WP Engine mentioning the correct port for the SFTP access (the lack of that being why I couldn't get in and dig into this further), I was able to have a further look at this here for you Laura.

    However, even after doing quite a bit of digging here, it seems like something that we'll need to call in our SLS staff for, as this seems deeper than what I can presently diagnose. I can confirm though that it's not WP Engine specific, as I was able to replicate this on my own Multisite install.

    Interestingly enough though, it only seems to take place when the site visibility is set to "Anyone that visits must first provide this password".

    Kind Regards,
    Michael

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.