Hello team of Cerber Tech Inc.,

I would like to report a problem with the WP Cerber Security, Anti-spam & Malware Scan plugin.

My problem:
When a user changes his password, after clicking the save button, he is redirected and he gets a “502 Bad Gateway” error. The main problem is that when the user wants to go to the main page afterwards, he gets a 500 error. The same problem also occurs when the user is logged in and I restart the Docker container of WordPress in the background.

Solution / Workaround:
The user has to log out somehow. Because he cannot do this himself – as the website cannot be loaded – he has to delete the cookie. More precisely, he has to delete the login / session cookie. In our case, the cookie has the following pattern: wordpress_login_XXXXXXX.

Error analysis:
I found out that the problem is somewhere in the plugin WP Cerber Security. Because: if I turn off the plugin and change the password or restart the Docker container, the issues do not occur.

More detailed error analysis:
The 500 error that occurs generates the following error message in the log:

PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in /var/www/html/wp-includes/pluggable.php on line 656, referer: https://.../edit-account/
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in Unknown on line 0, referer: https://.../edit-account/
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /var/www/html/wp-includes/class-wp-user.php on line 509
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /var/www/html/wp-includes/class-wp-fatal-error-handler.php on line 72
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in /var/www/html/wp-includes/pluggable.php on line 656
PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 262144 bytes) in Unknown on line 0

I have analysed the source code and found out the following:
The problem probably occurs when the auth / login cookie is parsed or processed. I suspect that an infinite loop occurs.
The source code can be found here: wp-includes/pluggable.php on line 656.
In it, the Auth-Cookie is parsed.
The function to parse the cookie is also in the pluggable.php on line 822.
Unfortunately, it does not say how the parameters are assigned. Maybe the default values, i.e. empty strings, are used for the cookie and scheme parameters.

Maybe this information can help to solve the problem. I also have a list of the names of the cookies in my browser:

• PHPSESSID
• sec_cerber_groove
• __stripe_mid
• wordpress_logged_in_4d149b1d38bb29a9580e9ea2307fc398
• sec_nRapbULfNQe_PBK
• sec_WpcrwsAYHOqC
• sec_cerber_groove_x_SeLDjzd4E7pI0iRQJvl3hZqWX
• sec_A_PXanSkf
• wp_woocommerce_session_4d149b1d38bb29a9580e9ea2307fc398
• borlabs-cookie

I have removed the cookie values for security reasons. If they are needed, I can send them by private message or email.

What else I tried:

1. On my staging / development environment I have the same setup (files + database were cloned). If I do not switch on SSL for the NGINX reverse proxy (-> use http:// instead of https://), the problem does not occur. So it seems to have something to do with the SSL / HTTPS or the detection of the reverse proxy.
2. In a few places on the internet it is recommended to increase the memory limit. By default, we have set the memory limit to 128 MB. This has always been sufficient. For testing, we set the memory limit to 512 MB. Then the problem still occurred.
3. If I delete the sessions of all users via the WordPress CLI (for example after the container restart), the problem still occurs.

My setup:

• Latest version of WordPress (5.7.2 / updated to 5.8 today)
• Latest version of WP Cerber Security (8.9)
• WordPress Plugins: WooCommerce, WooCommerce Germanized, Borlabs Cookie Consent Management and a few more WordPress plugins that you need for a shop. So a few extensions for WooCommerce and such. Nothing extraordinary or weird. Most of the plugins are very popular and widely used.
• WordPress is run on a VM via Docker. The official Docker images for WordPress (from hub.docker.com/_/wordpress) are used and Docker-Compose is used to run WordPress and a MariaDB.
• We use a NGINX reverse proxy that is switched in front of the Docker container of WordPress. The NGINX reverse proxy takes care of the accesses and the SSL certificate. The communication between the NGINX and WordPress works without SSL.
• Settings in WP Cerber Security:
  – “Load security engine”: Legacy
  – “Site connection / My site is behind a reverse proxy”: Checked
  All other settings are left at default values. At least I think so…

Other similar issues:

• Password Change – 502 Bad Gateway (https://wordpress.org/support/topic/password-change-502-bad-gateway/)
• error 500 on delete/reset password user (https://wordpress.org/support/topic/error-500-on-delete-reset-password-user/)

Thank you very much in advance for your help and best regards from Germany.
Paul

• This topic was modified 2 years, 11 months ago by Paul Vogel. Reason: Provide more detailed info and fix some formatting issues
• This topic was modified 2 years, 11 months ago by Paul Vogel.