Hi,
Recently, within the past couple days, I’ve been encountering an issue where any user that attempts to login gets the error message Error: Invalid username or Password.
Not entirely sure what the cause is however when I go to
S2 member pro > restriction options > Brute force IP/login restrictions and click “reset Brute force logs”, this seems to clear the issue… Again, it affects all users and also rejects users from submitting forms as well.
Any thoughts what the cause may be?
Hi Chris,
Thta’s a very unusual behavior… The login authentication is handled by WordPress, but it’s curious that resetting that would change the behavior, because that protection gives a different message when triggered and it applies to the single user not everyone.
Could you please try the advice here? https://s2member.com/kb-article/common-troubleshooting-tips/ (you can ignore the MySQL warning in the Server Scanner)
In the meantime you can try making the Brute Force protection a little less strict to see if you get less of that issue.
I look forward to your update. 
Are you behind a proxy?
That could make it look to WP that all your connections are from the same IP so all of the login errors look like they are from the same source.
Using CloudFlare? Then be sure to install and activate their plugin to get real IPs so this doesn’t happen.
Are you behind a proxy? I don’t believe so as I’m not sure to to set this up - although I did recently create a staging site although I suspect that’s not related.
Using CloudFlare? nope
I’ve enabled logs and the issue has represented itself, is that something I can/should share privately?
You can send me the details privately if it has sensitive information, yes. Just click on my name and then the blue message button.
Thanks. Got the logs. i don’t see there something that I recognize about your problem. The log files are more useful when troubleshooting integrations with other services.
In your case I would start testing the plugins you have to find which one may be causing this behavior…
Do you have a way to consistently reproduce the behavior, or it just seems to happen randomly?
Why did you suspect s2Member first? And if you make the Brute Force protection very forgiving, does the problem go away?
Do you have a way to consistently reproduce the behavior, or it just seems to happen randomly?
Unfortunately no, it’s been occurring every day for the past 3 days(at least,today included)
Why did you suspect s2Member first?
It’s less that I suspected s2Member first and moreso that it was able to guide me down the path of a resolution.
Separately, I have a different bug/conflict with a plugin UsersWP. That plugin allows you to specify a post-registration redirect. That redirect does not work while s2 is active. This was isolated using a default theme and only those two plugins(UserWP and s2) Here is a link to that support thread if it helps provide any clarity https://userswp.io/support/topic/register-redirect-and-invalid-user-password-on-registration/ my understanding of this bug evolved over time
and if you make the Brute Force protection very forgiving, does the problem go away?
This has yet to be determined, I can likely provide better info on this after some more time passes. So far, the issue has not yet presented itself again
I’m still chasing the proxy trail.
Who is your web host?
Also (sorry @clavaque), disable the s2 brute force protection completely and install WordFence, which will provide similar protection, more customization, and better logs. If you’re behind a proxy, etc. it will even try to learn that.
My guess is still that your WP installation thinks all your visitors are coming from the same IP address, which is what a proxy looks like and Wordfence can help figure that out.
On second thought, I don’t think you can disable the brute force protection on s2. I think I set it to the highest number and set Wordfence to 20 or so.
But that all said, I’ve never had luck combining plugins like UsersWP with anything else.
Granted I’ve never tried that one, but UltimateMember plus any real membership plugin broke everything.
Who is your web host?
Justhost
Also (sorry @clavaque), disable the s2 brute force protection completely and install WordFence, which will provide similar protection, more customization, and better logs. If you’re behind a proxy, etc. it will even try to learn that.
Will do
My guess is still that your WP installation thinks all your visitors are coming from the same IP address, which is what a proxy looks like and Wordfence can help figure that out.
On second thought, I don’t think you can disable the brute force protection on s2. I think I set it to the highest number and set Wordfence to 20 or so.
There is an option in s2 to allow infinite failed logins, I’ll set wordfence to 20