Secure WordPress

I Locked Myself Out of WordPress, What Do I Do?

Blog Secure WordPress I Locked Myself Out of WordPress, What Do I Do?
0 comments

When we use a security plugin, we want it to block attacks, hackers, bad requests, brute forces, prevent the theft of users’ accounts, all that kind of protections.

But sometimes they do too much and you’re locked out of your own website without the possibility to get back in.

Here comes a few solutions to get your website back in your hands:

SecuPress

First, let’s talk about SecuPress, if you are locked out be cause you tried to much to  log in, or you mispelled your username, your IP will be banned and you’ll see this screen:

Fill your email address and you’ll be unlocked!

A form will allow you to un lock if you are administrator, you can ask for it.

FTP

Using a FTP software (SFTP is way better, we’re in 2017) like FileZilla or Transmit you have the opportunity to deactivate the bad boy, the plugin who’s blocking you.

  1. Find the path to the plugins, usually in /wp-content/plugins/,
  2. Rename the bad folder, maybe add “.old” to it,
  3. Get back in your admin area, plugins page.

You should now get a notification mentionning that the plugin has been deactivated.

.htaccess

It’s also possible that one of these security plugins modified the .htaccess file to lock, upstream. Si you’re using an Apache environment, you’ll find atyour website root this .htaccess file or check the next point.

This file can contains a line forbidding any visits for some IPs. If you’re still locked out:

  1. Do a backup of this file!
  2. Find in this file something like: deny from 127.0.0.1 replace this IP by yours.
  3. Remove this file and save the file,
  4. Get back in your site, you should get access.

Your IP can be found in 1 click on whatismyip.com.

mu-plugin

Still locked? Ok, let’s find out. It’s also possible for a deactivated plugin to work through generated mu-plugins (Must Use Plugins).

This mu-plugin will load the full plugin or read in database a list of IP to ban, and you’re still locked.

Get back in the FTP software, you can deactivate the mu-plugins from here.

  1. Find the mu-plugins path, usually /wp-content/mu-plugins/,
  2. If you don’t have one, you’re done here, go to the next point.
  3. Rename the mu-plugins folder name or just rename the file if you know the one maybe adding “.old”,
  4. Get back in your admin area, you should have access.

loader

Still locked?? Well, it’s a hard one! But we still ave resources. It’s also possible to load pPHP content without WordPress.

Still in the FTP you can find a php.ini or .user.ini file containing some PHP configuration.

If you don’t have, skip this step, or:

  1. Backup this file!
  2. Edit this file and find auto_prepend_file [path/to/the/filename].php.
  3. Delete this line and save the file.
  4. Get back in your admin area, you should get access.

Wordfence

Wordfence is using this system with the filename wordfence-waf.php you can also delete it if you already edited the previous file, or empty it!

Plugin Activation

At first we talked about the way to rename a plugin folder, now you have to get its real name back.

This will allow us to reactivate the plugin, but … it can still block us for some reasons:

  • Why did it blocked us at first? We have to find the reason to prevent to be locked again in a loop, reading this post again,
  • Our IP could have been added in the database and on the reactivation, it will read that data gain and lock us.

We have to find our IP in the database without knowing where to look.

database

You know have to connect to a database manager with a software like Sequel Pro, or an online application like PhpMyAdmin.

Then, find the database prefix in the wp-config.php file at your installation root. Example :

One in your database manager:

  1. Open the wp_options (with the correct prefix so),
  2. Search in option_value the value of your IP address with a  LIKE %…%. Better with a pic:
  4. Copy this entry before deletion.
  5. Delete this entry.

iThemes Security

iThemes creates a table named wp_itsec_lockouts (with your prefix) that contains all the locks, yo can find your IP inlockout_host so you can delete this entry!

Password Lost

Last possible case. There is no lock from a plugin, your IP is not blacklisted, you are the lock, your memory has failed on this password, impossible to get it back from a “lost password?” link (mail server down, old email address…).

If you have the FTP access you have the possibility to connect to any admin account without having to know its password! You can also create a new admin account.

Use our free script SecuPress Backdoor User, you have to rename the php file, upload it in your installation, access to it from a browser and you will find this screen:

Connection, creation, modification, deletion in 1 click.

I hope you’re now logged in, you can continue to work!

 

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

This might interest you too

0 comments