This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Added HSTS then removed it. Now cannot login to website.

  • 9 balasan
  • 1 ada masalah ini
  • 2 paparan
  • Balasan terakhir oleh David M.

more options

Added HSTS to my website then removed it and now I cannot login to website (WordPress). I have tried all the syuggestions such as...

- removing the entry from SiteSecurityServiceState.txt

- renaming SiteSecurityServiceState.txt to SiteSecurityServiceState.bak

- right-clicking site in History and selecting 'forget this site'

...but Firefox just continually repopulates SiteSecurityServiceState.txt and refuses to allow the login.

I have done each of the above suggestions several times with the same result and I am now frustrated.

Is there some other place this 'lock-out' is stored?

What to do now?

Added HSTS to my website then removed it and now I cannot login to website (WordPress). I have tried all the syuggestions such as... - removing the entry from SiteSecurityServiceState.txt - renaming SiteSecurityServiceState.txt to SiteSecurityServiceState.bak - right-clicking site in History and selecting 'forget this site' ...but Firefox just continually repopulates SiteSecurityServiceState.txt and refuses to allow the login. I have done each of the above suggestions several times with the same result and I am now frustrated. Is there some other place this 'lock-out' is stored? What to do now?

Diubah oleh David M.

Penyelesaian terpilih

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.

Baca jawapan ini dalam konteks 👍 0

All Replies (9)

more options

hi, you'd need to close all running firefox instances before you attempt to edit SiteSecurityServiceState.txt , otherwise the changes won't have an effect.

more options

I did that, as the instructions on the sites explaining the process were thorough.

more options

Hi Dave, using Forget About This Site should clear cache for the selected host name. Perhaps it would help to clear the entire cache: How to clear the Firefox cache.

Are you sure that no subdomains on your server are sending the strict-transport-security header, even administrative or control panel-related addresses?

more options

I did that, as the instructions on the sites explaining the process were thorough. Cache and history are auto-cleared when browser closes and I have an app that clears everything from my computer including Windows Temp and Log files. There are no sub-domains.

I can load the site, cPanel, webmail, and FTP to the site, but the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Eliminated auto-login and filled login in manually with same results.

What bothers me is that even after "remove this site" from History and deleting entry from SiteSecurityServiceState.txt, Firefox still adds it again to SiteSecurityServiceState.txt when I attempt to login again.

I have tried every conceivable idea and still the same results. My next step is to eliminate the site completely, including database, rebuild from scratch, and see if that solves the issue.

Diubah oleh David M.

more options

Dave Manning said

...the wp-login.php is blocked from functioning. The username/password auto-fills and when 'login' is 'clicked', the page just resets and does not login and username/password remains.

Are you using an HTTPS URL for the site? Because if HSTS is set and you use HTTP, then you shouldn't be able to load anything without an error. And if you are using HTTPS, then I don't think HSTS is your problem.

Does that make sense?

more options

Yes, it is https. The site worked fine until I added the HSTS. I could not login with the HSTS, so I eliminated it and still could not login.

more options

Was HSTS added as a single new line in .htaccess or another config file, or through a control panel/application? Just wondering whether something else might have changed at the same time because as far as I know, HSTS just requires HTTPS and you have that.

more options

By the way, is wp-login working normally in other browsers?

In case there is some Firefox setting or data file that we aren't thinking of, perhaps try:

New Profile Test

This takes about 3 minutes, plus the time to test your sites.

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the "Create a New Profile" button, then click Next. Assign a name like July2019, ignore the option to relocate the profile folder, and click the Finish button.

After creating the profile, scroll down to it and click the Launch profile in new browser button.

Firefox should open a new window that looks like a brand new, uncustomized installation. (Your existing Firefox window(s) should not be affected.) Please ignore any tabs enticing you to connect to a Sync account or to activate extensions found on your system so we can get a clean test.

Does wp-login work any better in the new profile?

When you are done with the experiment, you can close the extra window without affecting your regular Firefox profile. (July2019 will remain available for future testing.)

more options

Penyelesaian Terpilih

The scenario is:

I have a security plugin that continually prompted me to add the HSTS, so I looked it up and it said to enter a single new line in .htaccess, which I did. That's when it all occured.

A side note though, this is not critical because I was smart and tried this on a site of mine that is expiring at the end of the month, so I was going to delete the site anyways. It just bothers me that the plugin recommends the HSTS (even though I obviously do not need it because all my sites are https) and then the site ceases functioning.

On another note, what the sites I read concerning the addition of the HSTS did not mention was that I also required the "preload".

So in view of all the above, and that I am going to delete the site anyway, I am not going to add the HSTS to any of my remaining sites.

I already force HTTPS in all my .htaccess files and in all my wp-config's, which also forces HTTPS for the wp-admin as well, so I am considering this extra step unnecessary.

Thank you for your time and assistance, jscher2000. Very much appreciated.