First I’m going to talk about how you could accidentally get locked out of your blog, then how to remove that lockout, then after covering that, I’ll talk about how to avoid it in the future.
How do you get locked out of your blog?
There are two main reasons you could get locked out of your blog due to iThemes Security:
- You have set iThemes Security to lock out users who cause too many 404 errors. If you have 404 errors on your blog (in the form of a missing file, etc.) you could accidentally lock yourself out just through normal browsing!
- You have set iThemes Security to lock out a username after too many failed login attempts. If someone attempts to login with your username and fails too many times, your username could be locked out, which could prevent you from logging in even if you have the right password.
Deleting the lockout from your database
In order to manually remove a lockout, you have to remove the entry from your WordPress database. This is dangerous! Your database is where all your posts, comments, pages, and other data are stored. You have to be extremely careful when poking around.
To access your database, you have to login to phpMyAdmin. The process for doing this is different for every web host, but usually you login to your web host control panel and either look for phpMyAdmin, Database, or MySQL. But ultimately, you need to be logging into phpMyAdmin (often that means clicking “MySql”, then clicking something like “Login to phpMyAdmin”). If you can’t find it, contact your host and ask how to login to phpMyAdmin.
After logging in, you’ll see a list on the left with your database names. Most people will probably only have one entry. If you have more than one, you have to figure out which one is your WordPress installation.
Click the plus (+) sign on the left to expand the database. Then find the table named xx_itsec_lockouts. The “xx” could be anything because you can set a custom prefix on WordPress (the default is wp_, but again, yours could be any letters). Click that table name.
This will bring up a list of all the entries in this table. It will basically be a list of all the past lockouts. You have to find yours and delete it.
IP lockout
If your IP address was locked out (likely because of too many 404 errors), you have to find your IP address. In a new tab, go to whatismyip.com. The site will say Your IP: followed by some numbers. Copy those numbers. Then return to phpMyAdmin and click “Search” at the top. Find the lockout_host field and paste your IP address into the “value” box next to it. Then click Go at the bottom. This will show you all the lockouts for your IP address. Delete them to remove the lockout.
Username lockout
If your login name has been locked out, you have to find the lockout corresponding to your username. Click the “Search” button at the top of the page. Then find the lockout_user field and paste your user ID number in the box next to it. This is not your username; it’s your user ID number (so an integer). By default that’s usually 1.
Then, click Go in the bottom right. This will show you all the lockouts for your username. Delete them to remove the lockout.
You should now regain access to your blog!
How to ensure it doesn’t happen again
Preventing 404 errors
If you got locked out due to 404 errors, the easiest fix is just to turn off that setting iThemes Security. But if you only do this, you’re not fixing the root problem.
A 404 error doesn’t just mean going to a page on your blog that doesn’t exist. It could also mean your blog is pointing to a file (like an image) that is broken or doesn’t exist.
To see if your blog has 404 errors, visit it in Google Chrome. Then, right click anywhere on the page and click “Inspect Element”. Then, switch to the “Console” tab. If you have any 404 errors, they will show up like this in red:
Or, if you have the Linky Followers widget on your blog, every single page will show this:
That’s right, the Linky Followers widget triggers four un-fixable 404 errors on every single page load. Having that widget is the fastest way to get locked out of your own blog.
Step 1: Find out what the 404 errors are
The developer tools window will show you exactly what errors are triggering. Find those files.
Step 2: Fix/remove the broken files
Fix the broken images or remove them all together. Get rid of those 404s! Or if you’re using the Linky widget, I suggest removing it all together.
Fixing username lockouts
Your WordPress username should be like a password: secret. Your only options here are:
- Turn off the “lock out usernames” feature in iThemes Security.
- Change your username.
I personally recommend that you change your username. If those hackers know your username, they’re already halfway to getting into your account. Changing your username is easy. Simply create a new administrator account, then delete your old one. When you delete your old one, you’ll be given the option to reassign those posts to a different user (the new one).
I printed this one off. I haven’t been locked out and would probably contact you if I were, but the 404 error information is very useful and good to know. I keep a little book with notes so that I don’t have to hunt down all the posts when I need them. 😉
That’s definitely something I’d be able to fix for you if it ever happened. 🙂
OMG this happened to a friend of mine this weekend and we spent forever trying to get her in. I was super proud of myself because I got into phpMyAdmin and reset her password and everything. We got back in, but only for like a minute before she was locked out again. Thankfully her host was able to fix things – but man, if only this post had been a week earlier lol! However, I haven’t been locked out of my blog yet, so I’m going to go do what you suggest with iThemes before it does happen! Great post Ashley.
Thank you, Ashley!! This is such a frustrating issue. It happened to me 3 times in the last few weeks. This last time I did contact the host and he was able to fix it for me. He said he deleted the plugin that was causing that, and suggested I replace it with “limit login attempts”, as it will not lock me out, just the person that’s trying to get in. Would you recommend the same thing?
It depends.
iThemes Security has a lot more security features than just locking people out for log out attempts. If you use those features, then you shouldn’t switch to Limit Login Attempts because locking people out is ALL that plugin does. So you’d lose the extra features from iThemes Security.
But if you don’t use the other features, then you could switch if you want.
However, you could just disable the username lockouts in iThemes Security by going to Security > Settings and find the “Brute Force Protection” section. Then set “Max Login Attempts Per User” to 0 to disable locking out usernames.
The downside to doing this is that if you disable username lockouts, then it only locks people out by IP addresses. However, most ‘serious’ hackers use proxies and varying IP addresses. So if their IP gets locked out, they just switch to a new IP address and keep trying.
But if the username gets locked out then they can’t keep trying at all, even if their IP changes.
Thanks, Ashley! This stuff is always so confusing to me. I’m thinking maybe I should go with iThemes Security and just turn off the feature like you said. I’m just so worried I’ll have another problem and not know how to fix it. I don’t understand hacking anyway… why would someone want to get into my blog? It’s not like I have financial information contained within or anything. I’m clueless. lol!
“Some people just like to watch the world burn.” — Sadly!
But also, a lot of people like to hack into your site so they can inject their advertisements into your blog and leech off your traffic.
This is so perfect, because I woke up and was locked out of my blog. *grumble*
Thanks so much!
My pleasure!
I’m thinking I need to look into this and install some security. Right now I don’t have anything in place but it also hasn’t been something I’ve had to deal with before. I’ll need to bookmark this in case I need it in the future. Thanks Ashley!
You should definitely look into it! If not iThemes Security then at least Limit Login Attempts. You almost certainly do have people trying to brute force their way into your blog, you just haven’t realized. It’s always important to have something in place to lock people out after too many failed attempts. Otherwise, they can just sit there all day and keep trying passwords until they eventually get it right.
Do you recommend iThemes Security or another plugin?
I’d suggest either iThemes Security or Limit Login Attempts. Limit Login Attempts is MUCH simpler. So if you install iThemes Security and get confused or don’t want to use a ton of the features, then you can use Limit Login Attempts instead. But some people do like to use a lot of the features in iThemes Security.
I definitely need to do this, though I’m afraid to go into the database. Even though the security plugin lets you list IPs that are on the safe list, it STILL locks them out. My co-blogger and I get locked out every time we do any major updates. So annoying.
Is your IP definitely static? A lot of people have dynamic IPs, which means they change often.
Well, I think so. It emails me the IP of the user that got locked out, and it is always the same as the one I have already safelisted.
Well that’s silly!
I got locked out several times. In the end, I got fed up and deactivated the plugin.
You need to have some sort of brute force protection, be it iThemes Security (and follow my instructions to prevent lockouts from happening to you) or Limit Login Attempts.
Will do! Thanks, Ashley 😀
This post was SUCH a life saver! I was locked out today and I was so lost! Thanks so much for all the help you provide! 🙂
I’m so glad this was helpful! 😀
Thank you so much for this!! I haven’t installed the plugin yet (because I read the 1-star reviews), but I am about to follow your directions. What do you think about disabling usernames and then installing Login LockDown to prevent Brute Force attacks?
What do you mean by “disabling usernames”?
Login Lockdown is a good plugin. iThemes Security has more features than just brute force protection, so it ultimately comes down to whether you want to use those extra features or not. If not, just stick with Login Lockdown. But if you’re looking for more than just brute force protection then iThemes Security has more to offer.
I was talking about installing iThemes Security, turning off the “lock out usernames” feature, and then using Login LockDown for protection against Brute Force attacks. This way, I get to use all of the other features of iThemes without having to worry about getting locked out of my account.
That’s fine.
Thanks! I used this and got myself out of it, however my username is “admin” which is the most common one being locked, anyway to get myself out of it? As it seems that I can’t remove this username as mentioned in your post?
All you have to do is create a new admin user, then login to that new account and delete the “admin” user. When you delete the user, you’ll be asked where you want to assign that user’s posts. Just select your new account and all the posts will be assigned to the new admin user.
Hi again,
The thing is, I’m not being locked out, I’m just getting this message every 30 mins or so:
Dear Site Admin,
A user, millsverse, has been locked out of the WordPress site at http://www.millsverse.com due to too many bad login attempts.
The user has been locked out until 2016-11-09 09:58:42.
I followed your instructions and my IP wasn’t in the table – because I haven’t been locked out, I suppose. So why are these messages happening? I’m with Siteground, and they have admin access. Could it be them causing the problem? But they shouldn’t be logging in without a reason…
The username (not IP) is being locked out because someone else is trying to login with that username, and it sounds like your settings are configured to lock out usernames. You probably want to change that.
Thank you so much, a very clear issue description and solutions that are both explained very well. Thank you!
Hello Ashley,
Thanks you so much for writing this post. Finally, I got my website back. 🙂 It’s kind of a weird issue because the site’s owner is being blocked. It’s been really sad to me. Once I thought I my site had been hacked. I Googled the issues, and came across this site and applied the same tips you advised and finally I got it.
Thanks again, Ashley for this post. You’re just awesome! <3
Best Regards
~Shakir
Hi Ashley,
I got locked out and even can’t access to the dashboard of the website. They sent me a notification like every hour: “You have been locked out due to too many invalid login attempts.” I am using wordpress.com, not even a hosting. What should I do now? I am terrified Ashley.
Trang
Blimey! You’re good!
This is coming on top search page results. There could be others who need a solution for this. Instead of going into the database, just rename the better-wordpress-security folder in your wp-content/plugins folder. Login again with your username and password in WordPress admin.
Go to Plugins and activate the iTheme Security plugin.
The reason your username got blocked from logging into the WordPress admin was that someone was trying to use Bruteforce to login to the backend – using your username. So, iTheme Security blocked that username.
To avoid this, do the following:
Create a new user with administrator rights – something unique and other than the word admin with a strong password.
You shouldn’t be blocked ever again.
Thanks!
Great, yes my problem sorted out. Thank you, Ashley, for your blog.
I love your words “I like to inject a little #girlpower “. Actually not only into WordPress Community it needs everywhere.