two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

503 Service Unavailable after inserting 2FA - works with several tries

Open x2on opened this issue 2 years ago • 5 comments

Describe the bug

If i try to login in my wordpress installation, i often get a 503 Service unavailable error after inserting the 2FA in the login form. This happens if i enter the 2FA with an password safe (like Bitwarden. If i enter the code by hand it works most of the time. I think there must be a timing issue for this error.

Steps to Reproduce

  1. Login with user / password
  2. Automatically copy the 2FA to the form and hit enter
  3. --> Error 503
  4. Retry sometimes works, sometimes not.

Screenshots, screen recording, code snippet

/wp-login.php?action=validate_2fa

Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Environment information

  • Wordpress 6.2.2
  • Chrome newest version, Safari Mobile

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

No

x2on avatar Jul 11 '23 11:07 x2on

Does anything show up in your PHP or nginx/apache/IIS logs when it happens?

iandunn avatar Jul 11 '23 16:07 iandunn

No just the 503 error

x2on avatar Jul 11 '23 17:07 x2on

This plugin doesn't trigger 503's responses directly, and the only place in core that triggers them (that I can think of/find) is maintenance mode during auto-updates, which theoretically could be triggered more often just after a login attempt (as the traffic to the site triggers cron, which triggers background updates).

I'm thinking it's more likely that this is caused by a security module - either a WordPress plugin, or more likely, a server-level rate-limiting on the login endpoint.

@x2on Are you able to confirm with your host whether there's any rate limiting on login that would trigger a 503?

dd32 avatar Jul 14 '23 03:07 dd32

I couldn't find anything about a rate limit at the server.

I currently only have "Limit Login Attempts Reloaded" active, and this plugin doesn't show an entry for that. Also if i deactivate the plugin the same error happens.

If i wait 2-5 seconds before entering the 2FA it currently works.

x2on avatar Jul 17 '23 07:07 x2on

I made a few test. The problem only exists if i copy & paste the code to the form. If i enter the number by keyboard it works.

Any idea?

x2on avatar Jul 24 '23 11:07 x2on

Closing until we have the exact error message or steps to replicate the issue.

I personally haven't observed this behaviour in any of the sites using this plugin. It could be related to the site setup so please do report back if you get more details.

kasparsd avatar Apr 25 '24 11:04 kasparsd