Concrete cms locks out admin users when registration is turned on. No way back in. ConcretCMS.org provides that the only way to fix this is to reinstall the entire site again. Outrageous

On our site I turned on the registered users and selected by email.

Concrete CMS locked out all users and banned our IP.

This is obviously a bug that simply should not be allowed to happen at all.

Please respond with haste as I have a client whose entire web access is now blocked.

An IP gets automatically banned when someone enters wrong usernames/passwords multiple time in a short time delay.
After a while (20 minutes IIRC) the IP is automatically unblocked btw.

That should not happen at all.

All admins are banned.

After the period of waiting we cannot access the site using existing admin details.

“Invalid email address or password is provided as error”

Do I have to rebuild the entire site and install a new CMS because of this or is there a terminal work around?

IPs are banned regardless the username: you specify a wrong password multiple times? The system blocks your IP for a while.
And that must occur ESPECIALLY for administrators (otherwise your website would be a possible target of brute force attacks which are aimed in particular to administrators).

You can of course add specific IPs (or IP ranges) to an allow list (they won’t never be blocked).
You can also disable the whole IP blocking feature (at your own risk).
This can be done via the dashboard, as well as using the ./concrete/bin/concrete5 c5:config set -g CLI command (or editing the config php files directly).
The problem is that I’m not in front of a PC atm, and I don’t remember the exact configuration keys.

Hi, so when we went to allow ‘registered users’ the CMS blocked admins who were using usernames instead of email addresses.

I am not sure you reply is the correct information.

It looks like I will have to reinstall the entire CMS and rebuild the website if we cannot get access.

Surely their is a fail safe that a admin can go to the /var/www folder and change a file.

Looks like there is no server admin work around other than to rebuild the entire site.

Disappointing.

Who has told you that’s the only option?
It’s simply not true.

I get the impression here that you’ve changed the login process/screen to expect an email address instead of username, and therefore it doesn’t work when someone puts in a username.

The error message you’ve said suggests you’re in email mode.

If this is the problem, you can change it directly in config by going to file:
/application/config/generated_overrides/concrete.php
and finding the value for email_registration, in the user/registration section. You can just change that from true to false and save it down.

Going forward, you have to either pick login by username or login by email, you can’t have both operating. It sounds like you just have to make sure that the admins that are set up know what email address associated with their accounts to enter instead.

There’s no process in Concrete that is going to ban all admins. This just sounds like you’ve changed a setting without realising, then have made the wrong assumption as to what is going wrong.

Might be good to edit the subject of this email thread, as it’s not going to help you get the answers.

1 Like