Update plugins-known-issues.md for Solid Security debugging (#9388)

* Update plugins-known-issues.md for Solid Security debugging The CSE team is cleaning up some of our playbooks and found documentation about a WordPress Plugin issue that was not talked about publicly. After reviewing within our colleagues, we decided this would be best handled by moving to the public facing documentation, so customers can potentially self-resolve the problem. * Update plugins-known-issues.md updating the codeblocks to match other file naming structures * Update plugins-known-issues.md Merging "two solutions" into a single solution
pantheon-systems · Jan 24, 2025 · 5240525 · 5240525
1 parent 87e985e
commit 5240525
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/source/content/plugins-known-issues.md b/source/content/plugins-known-issues.md
@@ -626,6 +626,31 @@ ___
 
 **Solution:** Modifications to `wp-config.php` should be done in Dev or Multidev environments, then deployed forward to Test and Live.
 
+**Issue 3:** Unable to reset WordPress password or register new WordPress users when "Hide Backend" feature is enabled due to `itsec-hb-token` parameter being stripped from URL redirections.
+
+**Solution:** Two adjustments are needed to fully resolve this issue. First, dynamically append the `itsec-hb-token` parameter to redirection URLs when the parameter present in the original request. Edit the `functions.php` file of your WordPress theme. If you're using a child theme, make the changes there to avoid overwriting during theme updates.
+
+```php:title=functions.php
+add_filter('wp_redirect', 'retain_itsec_hb_token', 10, 2);
+
+function retain_itsec_hb_token($location, $status) {
+    if (strpos($location, 'wp-login.php?checkemail=confirm') !== false && !empty($_GET['itsec-hb-token'])) {
+        $location = add_query_arg('itsec-hb-token', $_GET['itsec-hb-token'], $location);
+    }
+    return $location;
+}
+```
+
+Second, ensure the `itsec-hb-token` parameter is retained when during login redirection to the `wp-login.php?checkemail=confirm` page. Locate the `wp-config.php` file in the root directory of your WordPress installation. Add the following code snippet at the top of the file, replacing "LOGIN_LOCATION" with your defined login slug (such as `log-me`):
+
+```php:title=wp-config.php
+if (($_SERVER['REQUEST_URI'] == '/wp-login.php?checkemail=confirm') && (php_sapi_name() != "cli")) {
+    header('HTTP/1.0 301 Moved Permanently');
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . '/wp-login.php?checkemail=confirm&itsec-hb-token=LOGIN_LOCATION');
+    exit();
+}
+```
+
 ___
 
 ## Jetpack