When we use a security plugin, we want it to block attacks, hackers, bad requests, brute forces, prevent the theft of users’ accounts, all that kind of protections.
But sometimes they do too much and you’re locked out of your own website without the possibility to get back in.
Here comes a few solutions to get your website back in your hands:
First, let’s talk about SecuPress, if you are locked out be cause you tried to much to log in, or you mispelled your username, your IP will be banned and you’ll see this screen:
A form will allow you to un lock if you are administrator, you can ask for it.
- Find the path to the plugins, usually in
- Rename the bad folder, maybe add “.old” to it,
- Get back in your admin area, plugins page.
You should now get a notification mentionning that the plugin has been deactivated.
It’s also possible that one of these security plugins modified the .htaccess file to lock, upstream. Si you’re using an Apache environment, you’ll find atyour website root this
.htaccess file or check the next point.
This file can contains a line forbidding any visits for some IPs. If you’re still locked out:
- Do a backup of this file!
- Find in this file something like:
deny from 127.0.0.1replace this IP by yours.
- Remove this file and save the file,
- Get back in your site, you should get access.
Your IP can be found in 1 click on whatismyip.com.
Still locked? Ok, let’s find out. It’s also possible for a deactivated plugin to work through generated mu-plugins (Must Use Plugins).
This mu-plugin will load the full plugin or read in database a list of IP to ban, and you’re still locked.
Get back in the FTP software, you can deactivate the mu-plugins from here.
- Find the mu-plugins path, usually
- If you don’t have one, you’re done here, go to the next point.
- Rename the mu-plugins folder name or just rename the file if you know the one maybe adding “.old”,
- Get back in your admin area, you should have access.
Still locked?? Well, it’s a hard one! But we still ave resources. It’s also possible to load pPHP content without WordPress.
Still in the FTP you can find a
.user.ini file containing some PHP configuration.
If you don’t have, skip this step, or:
- Backup this file!
- Edit this file and find
- Delete this line and save the file.
- Get back in your admin area, you should get access.
Wordfence is using this system with the filename
wordfence-waf.php you can also delete it if you already edited the previous file, or empty it!
At first we talked about the way to rename a plugin folder, now you have to get its real name back.
This will allow us to reactivate the plugin, but … it can still block us for some reasons:
- Why did it blocked us at first? We have to find the reason to prevent to be locked again in a loop, reading this post again,
- Our IP could have been added in the database and on the reactivation, it will read that data gain and lock us.
We have to find our IP in the database without knowing where to look.
Then, find the database prefix in the
wp-config.php file at your installation root. Example :
One in your database manager:
- Open the
wp_options(with the correct prefix so),
- Search in
option_valuethe value of your IP address with a
LIKE %…%. Better with a pic:
- Copy this entry before deletion.
- Delete this entry.
iThemes creates a table named
wp_itsec_lockouts (with your prefix) that contains all the locks, yo can find your IP in
lockout_host so you can delete this entry!
Last possible case. There is no lock from a plugin, your IP is not blacklisted, you are the lock, your memory has failed on this password, impossible to get it back from a “lost password?” link (mail server down, old email address…).
If you have the FTP access you have the possibility to connect to any admin account without having to know its password! You can also create a new admin account.
Use our free script SecuPress Backdoor User, you have to rename the php file, upload it in your installation, access to it from a browser and you will find this screen:
I hope you’re now logged in, you can continue to work!