How to fix ‘Error for site owner invalid site key’
It adds up to the frustrations on the go: the intent was to make my blog safe(r). At a next admin login at my website, I got ‘Error for site owner: Invalid site key’. I couldn’t login in the WordPress Admin console of my blog anymore.
It adds up to the frustrations I guess. Eventually I was able to google the solution but as it goes for everything while searching, you need to know the proper keywords to find what you need.
1. What is 2 Factor Authentification and what does it do?
As my site was hacked once (more on this later), I decided to avoid this. That’s why I ended up at labhosting who gave me the highest protection. My PHP-advisory/programmer advised me to setup 2 FA on my site.
To explain this, I found Wikipedia’s definition very concise:
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors:
1) something they know,
2) something they have, or
3) something they are.
In other words, when you install one of the plugins on your WordPress blog called ‘Multifactor Authentification’, your site’s or blog’s admin login screen looks like this:
At times you will have the 2 Factor Authentification code prompt as second screen after you fill out your username and password. In other words… it is not enough to login with just filling out your username and password.
2. How to install 2 FA-app on your mobile?
In short: Install via your WordPress admin console a plugin of ‘Multifactor Authentification’ and configure it. Next download the same app via the mobile app store and configure it there as well.
a. Add a new plugin in WordPress: Wordpress Admin console > Plugins > ‘Add New’
b. Search on keyword: for example: ‘2 Factor’
c. Install an app in WordPress that offers you ‘two-factor authentification‘
How to know whether an app is reliable?
It’s of course not fully 100% but it’s a good start… I look at the amount of active installations and the review score (amount of stars). I may be revising the negative comments if I feel it is needed. In general you can state that the more an app was installed, the more it is considered reliable (enough). However, there are some excellent undiscovered apps out there that may be offering even a better service.
Alternatively and in combination with the above, you can also google for advice!
d. Search for the installed app in WordPress on your mobile device as it is for sure listed in the app store (for iPhone ‘Apple Store’; for Android ‘Google Play’-store)
e. Configure the app both in WordPress (WP) and on your mobile
Depending on the app, you may have to scan a QR-code that you capture via the app that you installed on your mobile device.
What is QR? It is the abbreviation of Quick Response. Scanning a QR-code (similar to a barcode on a product in a regular shop), is a shortcut for a predefined automated action (e.g. visiting a website, registering a device, etc.).
How does it look like?
How to read QR-codes? There are QR-apps which you can download on your mobile, search with keywords ‘QR code’.
To capture a QR-code for the two-factor authentification which you installed in WordPress, you normally should have the option via the installed app on the mobile to capture it.
Probably the most important thing as you are still logged in, is to first test the app while still being logged in into WP ! There should be a section in the plugin that you installed in WordPress where you can enter a test code that is generated from the corresponding app on your mobile.
3. Test your 2 FA-plugin before logging out from the WordPress admin console
The golden rule if you implement 2 FA admin login on your blog is to test it out in your WordPress admin console before you are logging out. If you do not do it, you can be ‘locked out’, unable to enter your site or blog.
4. Where does the ‘Error for site owner: Invalid site key’-message come from?
In addition to the 2-Factor Authentification plugin that I had installed in WordPress, I also installed the ‘Google Captcha’ plugin that that offers the two-factor authentification security.
Even though the other 2-factor plugin worked correctly, somehow the Google Captcha was not configured correctly.
In Google Captcha Settings, you need to enter both a Site Key and Secret Key.
You can generate these keys after you register your site. You can get the API-keys on the the Google Recaptcha site.
Requirement? You need to have a Google mail address. You can easily sign up at google mail.
What happened? Somehow the Site Key and Secret Key was invalid. I did some testing in the Google captcha panel, these codes somehow changed and as result I got ‘Error for site owner: Invalid site key‘. The result looked like this:
5. What to do if you are locked out?
Luckily there is a way out but ok you need to have a bit of IT-skills to know what is happening. More than one solution is possible but only one worked for me. One of the most overrated and yet true sentences is: ‘Google it, it’s on the net’. We all know that an effective solution may not always appear on the first search.
For me, in this particular case, be my guest to prove the opposite, only one solution worked.
Go via FTP to the WordPress folder where the plugin is installed and rename it
The two-factor authentification plugin is installed just as any plugin at the following location:
What is FTP? File Transfer Protocol
Via a tool you get remote access to the place on the web where your site is located and when you log in there you can easily either add or remove or edit foldernames.
Why should you watch out?
If you rename any other folder name in the plugins section the plugin that you installed and configured will not work anymore. To be on the safe side, be careful when selecting folders.
For example if you want to ‘google-captcha’ into ‘google-captcha-stop’, click once on the folder name, hit the F2-button (Function F2 normally on top of your keyboard) and rename the folder. The final result will look as so:
As in general, be careful what you do. If you are unsure, take note in a separate file of the plugins and what they are doing. Know the location of your folders i.e. normally if you install WordPress on your site from scratch, the wp-content folder should be located in the
/public_html/ directory but this does not have to be the general rule.
- Do you have another solution that the one I suggested above? Do not hesitate and leave a comment below.
- Would you have by any chance some extra tips and hints on how to proceed with with two-factor authentification in a cautious way please share your thoughts.