My WordPress website using the s2Member plugin was supposed to redirect my subscribers to the Welcome Page that I had set up AND it was supposed to hide the wp-admin screens from them. But, every time I logged in, I was taken to either the home page, the wp-admin user profile, or I got a permissions error, no matter what I seemed to change.
This is a very large site with a lot of plugins. I didn’t want to take out all the plugins and change back to one of the Twenty something themes, but I had to figure out which plugin was causing the problem or if it was the theme. Surely it wasn’t a bug in s2Member. I love that plugin and it’s worked perfectly on numerous other sites.
I downloaded my LARGE (400+GB) database – that took some help from the hosting company because of timeouts with the exports. I set up a local environment with my website and started deleting plugins using ftp because it was quicker. I activated the Twenty Fifteen theme. Still had the problem. How could that be?
I researched s2Member’s knowledge base, as well as Google. I finally found an s2Member post about the WP login form having a hidden field for redirection. I already knew that and I knew that mine was setting the redirect to the wp-admin page. But, s2Member was supposed to be protecting that page and it wasn’t. So, in a way, that article helped, but not really. Even if I found out what was causing the redirection, my wp-admin wasn’t being protected properly.
In my research, I did see several times where S2Member support said that they would not help anyone who had changed the roles and capabilities outside of S2Member and I also saw a post about how the edit_posts capability being set could override the wp-admin blocking by S2Member. I had not changed the capabilities. I had added some new roles, but these login redirections were happening on subscribers, not the other roles that weren’t involved with S2Member.
I also saw in s2Member’s documentation that testing with a fresh install of WordPress would help determine if it were an s2Member bug. Everything was now pointing to an error in their code since I had activated the Twenty Fifteen theme and deleted all my plugins. So, I created another fresh WordPress install on my local machine, installed and set up s2Member and tried the login. Worked perfectly. Just as expected. Ok, this proves something is wrong with my site and not s2Member. It had to be something in the database.
I figured it had to be the capabilities since it was letting my subscriber see the wp-admin profile. I installed the Members plugin by Justin Tadlock to easily see the capabilities assigned to subscribers. I compared them with my fresh install and there were several differences. By reinstalling each plugin again, I found that several capabilities were being added by BuddyPress which is also used by my large site. And just deleting the plugins without deactivating first leaves the capabilities set on the roles, apparently. (Note to self: I wonder if deactivating them first will unset them? I’ll have to try that out.)
The very last plugin in my list, WP User Avatar, was setting the edit_posts capability on my subscriber which allowed my subscriber to access the wp-admin screens. What’s worse is that even if I unset the capability by hand, the capability was reset every time I got into the site. So, even when I thought I was turning it off, if I didn’t specifically go to the settings page for WP User Avatar and turn off the ‘Allow users to upload avatar’ setting, the capability was being set each time the site was accessed.
Changing the option to not allow my users to upload should fix the problem, right? I thought so. I logged in from the WP login form and it worked! I was so excited! Only 6 or so hours into my debugging and I had finally figured it out. But, the next time I logged out and went to the home page I was very disappointed. I’m using WP Curtain to block my site while it’s in development. When I logged in from the WP Curtain Login form, it redirected me to the home page every time. Ugh.
Back to the drawing board. I looked at the WP Curtain form to see what was different from the WP login form. It was calling the WordPress function to display the form, so it really shouldn’t be a problem. But, the hidden redirect was different. My WordPress login form that s2Member was specifically using was setting the hidden redirect variable to my admin url – ‘http://example.com/wp-admin’, but the WP Curtain login form was using my home page – ‘http://example.com/’. So, when I used the WordPress login form used by s2Member, then it was attempting to go to the wp-admin which was not allowed by s2Member, which triggered s2Member to redirect to the correct welcome page. But, when I used WP Curtain, it never hit the admin page and s2Member was never triggered.
I changed the code in the WP Curtain plugin to add the ‘/wp-admin’ to the end of my redirect url and everything started working perfectly. Of course, when we push the site live, I will drop WP curtain and we won’t have to worry about updates overwriting my fix. Whew! What a nasty set of bugs to track down.
Hopefully this post will help someone else who may be having problems with redirect problems on the s2Member plugin. Knowing what I know now, I wish I had deactivated plugins instead of just deleting them. But, I now have a much better understanding of how s2Member and the WordPress login form work. It was a good lesson in the WordPress framework as a whole, but it’s not a lesson many people would enjoy. Maybe this will help you learn the lesson much quicker.