cc @enejb

The user see {'error':'Bad Request','message':'Invalid input.'} message after the login link expires of if they type the wrong link. Retrying again would work out for them.

cc: @lezama Should we increase the duration of that token?

How long is the duration of the token, @enejb ? I don't know how long these folks waited; I would guess not a long time but I don't know for a fact.

The link is only valid for 5 minutes.

It also says so in the email that we send out to the user.

Clicking the link below will allow you to either attempt additional login attempts or change your password for your WordPress site for 5 minutes from the ip address %2$s.

As I understand things users are usually only blocked for 20 minutes. So having something that is super long is probably not very useful.

But in the case where the token is not valid any more that doesn't seem to be the case.

As I understand things users are usually only blocked for 20 minutes. So having something that is super long is probably not very useful.

Actually, no. Users can be blocked for much longer, ESPECIALLY in cases where we are trusting the wrong header (which is the majority of cases when users get blocked); in those cases, blocks can be effectively indefinite (the block expires and then are blocked again almost immediately, and for longer). At least, that's how I understand it, so.. I think 5 minutes is not long enough. Especially when a user is frazzled and locked out and not sure what's going on, they might not go check their email right away.

I updated the email link duration to 15 minutes.

Can you explain a bit more about the wrong header? What is the issue there?

Can you explain a bit more about the wrong header? What is the issue there?

This should explain things a bit: PCYsg-8f0-p2

You can also look at 1257-gh-jpop-issues for some recent examples of this issue.

Thanks for the links.
It would be good to implement some sort of solution where we automatically set the IP address in a better way. I know it really depends on the configuration of the server.

But maybe we can automate this somehow. For example if we know the IP address of the servers and make a request to the jetpack server. We could use the known predefined array of possible keys and headers and then try to configure the IP address that matched the one that we expect.

cc: @samhotchkiss What do you think?

Same problem here, unlock site link not working. I'm clicking within 5 minutes but still. I have to login to wordpress.com, go to settings, security, and disable protection, before logging in and activating protection again.
Adding my IP adress to the whitelist does not solve the issue.

@merire111 Your site likely needs us to tweak a setting on our end. Can you contact us directly please?

https://jetpack.com/contact-support/

Same problem here too, unlock site link doesn't work. Not sure why this would be opt out and not opt in.

Same issue on 900393-zen
In here, the user wasn't trusting REMOTE_ADDR so I switched to it.

Also reported in 899797-zen
The user wasn't trusting REMOTE_ADDR so I switched to it.

@enejb It is my understanding that if the Headers that we are looking at are incorrect on our end, then the link won't work. I don't know what percentage of people who get blocked are blocked because they mistakenly enter the wrong password (and thus the link is useful for them), versus the people blocked because the headers we are trusting are wrong (and thus the link won't work for them). However, right now we are giving all the people with incorrect trusted headers "false hope" that they can get into their site by clicking the link we send them. I suppose there's no easy way to filter those out so we don't even send them a link and we just say "contact us please"?

I think there might be a way to filter them out. Will look into this some more. Great suggestion!

Also I think this should be fixed via the Jetpack UI somehow. Telling the user something is wrong and what they should do to fix it. (Contact support)

Also I think this should be fixed via the Jetpack UI somehow. Telling the user something is wrong and what they should do to fix it. (Contact support)
cc: @samhotchkiss and @MichaelArestad :)

More discussion at p7rcWF-HJ-p2

I got this request when trying to login. Had it sent to email. Got this:
{"error":"Bad Request","message":"Invalid input."}

And I did it all in minutes. So no timeout on the request. I'd say your plugin is broken.

@vrocks Could you contact us via this contact form and give us more details about your site? We'll help you get this fixed on your site.

Thanks!

979688-zen

1065607-zen

As someone else stated, I also followed the link probably 2 minutes or less after receiving the link, and got the same error API response. This looks like a plugin issue.

@chromechris Could you contact us via this form, so we can take a look at your site with you and try to see if we can get this fixed?

Thank you.

@jeherve I have contacted support through the provided link. I hope there is a fix for this :( Thanks for the help.

I encountered this issue today. I bypassed it by disabling the Jetpack plugin manually using phpMyAdmin. I then could log into my site. I reenabled Jetpack in my site and turned off the "Brute force attack protection" feature. I have other security plugins installed so it was superfluous. I live in China and often use VPNs to access the web, changing IP regularly, so whitelisting all my IP addresses isn't practical.

1152270-zen

@42Rincewind In your case, I suspect the VPN IPs were the ones getting blocked, but we could always verify it on our end if you send us your site's URL (and ideally, some or all of the IPs that were blocked) here: https://jetpack.com/contact-support/ Of course, since you turned off Protect, it's up to you if you want us to follow up on this! :)

Also reported in 1162780-zen

221045-zen

1232562-zen

1238231-zen

1254295-zen

1261281-zen

1269716-zen

1286665-zen

1289550-zen

1302552-zen

1312971-zen

1319911-zen

1319950-zen

1322772-zen

1325354-zen

1308737-zen

1330881-zen

Also reported on https://wordpress.org/support/topic/jetpack-blocking-websites-ip/

1333615-zen

1341560-zen

1349711-zen

1355603-zen

I have been experiencing this same issue. My IP in whatsmyip is showing another IP wherein the Jetpack has blocked another IP and blocked the access.

an email was sent to unblock to the verified user.

When I clicked on the link provided to login - it gave the same error
{'error':'Bad Request','message':'Invalid input.'}

It would be not good if I want the users to subscribe on the website and they will be blocked to login just because of this.

Can't we do something about that.

Hey @amy6147 ~ could you contact us through this form? Please include info about your sites, as well as the IP addresses that are blocked. We'll help take care of this for you. Do make sure to include more info, as your comment states that different IPs were blocked.

Thanks!

1374252-zen

1381584-zen

1381855-zen

1382457-zen

1381037-zen

1407858-zen

Note: This issue has the detailed research on our private discussion p9dueE-mO-p2

1410269-zen - Cloudflare

Changing the priority on this one; while it is an annoying problem for someone getting blocked out of their site, it seems the issue only happens with mis-configured servers that report the wrong IP address in headers like HTTP_X_FORWARDED_FOR. We can fix it on our end by looking at the list of headers given by the server and only looking at the one that seems to report the right address.

If you run into issues like this on your own site, please contact support via this contact form and let us know your site URL; we will fix things for you.

I'll leave this issue opened as we may be able to circumvent some of those issues in the future by improving our IP detection process.

1442928-zen

1492300-zen

1492369-zen

1511591-zen

1512522-zen

https://wordpress.org/support/topic/admin-access-blocked-by-jetpack/

https://wordpress.org/support/topic/jetpack-keeps-locking-login-page-broken-link-in-help-email/

1533692-zen

1556889-zen

1567653-zen

1578156-zen

1581528-zen

1583112-zen - Bluehost site

1583373-zen

1584262-zen

1585183-zen

1594387-zen

1594478-zen

1581800-zen

1592368-zen

1596242-zen

1593064-zen

1598045-zen

Given that we're already addressing the problems with Bluehost and EIG internally, I don't think there's value in adding those to this thread. As Jeremy mentioned above, we know that this is caused by a problem with the headers. If we can get those headers fixed, it will likely resolve this for many of these identified problems.

1597607-zen (not Bluehost, but unclear who the host is; seems like a reseller)

There is another report of this error.
https://wordpress.org/support/topic/jetpack-has-locked-your-sites-login-page-6/#post-10975357

I got this today when I tried to use cloudflare in front of my server, so I guess it's something to do with header stuff. I clicked the link within 30 seconds or so, so it's definitely not related to link expiry.

@josephrocca Please contact us with your site's URL so we can take a look.

https://jetpack.com/contact-support/

1715467-zen

1792502-zen

I also have this issue on one of my sites that I still have this protection on. I've had the issue for over a year. Corresponding with Jetpack support, they just pointed me to this thread to track progress. Looks like not much progress has been made in a year.

@Prizem We should be able to fix the underlying issue with your site(s); can you share a ticket number of your correspondence with us, so I can take a look?

@Prizem We should be able to fix the underlying issue with your site(s); can you share a ticket number of your correspondence with us, so I can take a look?

Sure! Looks like tickets 1792502 and 1657826.

1835534-zen

1846906

1857517-zen

1865106-zen

1876781-zen

1880282-zen

1889229-zen

Another in https://wordpress.org/support/topic/locked-out-of-jetpack-3/

Another in https://en.forums.wordpress.com/topic/jetpack-locked-out/

Same problem here (on both the QA and production instances of my site).

1895167-zen

@immersiontravis We can fix it for you if you contact us with your site URLs: https://jetpack.com/contact-support/

1897156-zen

1901568-zen

1906075-zen

1907329-zen

1908207-zen

1910888-zen

1912884-zen

1907046-zen

1912666-zen

1915822-zen

1916497-zen

1916606-zen

1917036-zen

1917292-zen

1917065-zen

1917022-zen

1917435-zen

1917552-zen

1917897-zen

1919171-zen

1920016-zen

1920148-zen

1921777-zen

1913219-zen

1930569-zen

1930890-zen

1930846-zen

1930986-zen

1917068-zen

1932985-zen

1933178-zen

1933764-zen

1934432-zen

1935157-zen

1936537-zen

193691 5-zen

1940634-zen

r190045-wpcom improves the e-mail's handling and should resolve some (if not all) of these issues. Leaving the issue open until Happiness confirms.

Woot woot! Thanks :)

1946446-zen

From checking with Happiness, we've had no new recent reports so I am marking as resolved.

❤️

Ticket: 2043791-zen
Blog ID: 132029627
Jetpack: 7.3.1
Nameserver: Hostgator

@kraftbj - can you check this case? Also, should I open a new ticket for this or continue here?

Ticket: 2071681-zen @jeherve since Kraft is AFK can you assign someone to own this possibly?

@bikedorkjon This seemed to be a problem with the server configuration; it is now fixed within the Protect API settings for that site.

They responded that things were fine, just forgot to close this.