iThemes Security locked out a user – how to login to WordPress admin when user is banned (SOLVED)
July 11, 2022
iThemes Security is a plugin for WordPress that makes it difficult for hackers to attack the site and collect information.
Among other features, iThemes Security has protection against brute-form paths (search for “hidden” folders and files), as well as protection against hacking user credentials by brute force passwords.
Once set up, the iThemes Security plugin usually works fine and doesn't require much attention. But sometimes there may be a problem with blocking your user, because someone tried to guess the password to your account.
The situation may arise in the following scenario:
1. You have activated the function of protecting accounts from brute-force passwords
2. The attacker repeatedly tried to guess the password from your account
3. As a result, the account was blocked
4. When you try to enter your username and password from your account to get into the WordPress administration panel, you get a message that it is blocked (banned):
YOU HAVE BEEN LOCKED OUT. You have been locked out
You don't have to wait until the account is unlocked.
If you have access to the file system, then you can immediately log into the WordPress admin panel.
I don't know how to bypass the iThemes Security lock, instead the plan of action is the following:
1. Disable iThemes Security
2. Login to the WordPress admin area
3. Enable iThemes Security
To disable any WordPress plugin, simply remove the plugin folder. And it is not necessary to delete it – just rename it.
Open the file manager of your sites and find the following path there: SITE/wp-content/plugins/
If you are using the command line, then the path to the plugin is: SITE/wp-content/plugins/better-wp-security
Find the better-wp-security folder and rename it to something like “-better-wp-security”.
Right after that, you can log into the WordPress admin panel.
Once you are logged into the WordPress admin panel, you can reactivate the iThemes Security plugin. To do this, rename the “-better-wp-security” folder to “better-wp-security”.
All is ready! No additional iThemes Security configuration is required.
Checking the logs showed that the attack (brute-force user credentials) was carried out through the xmlrpc.php file.
The xmlrpc.php file provides features that most webmasters don't use but are actively exploited by hackers. For this reason, you can safely block access to the xmlrpc.php file. If you do not know what this file is for, then most likely you do not use it, and you can block access to it without consequences for you.
You can disable XML-RPC with an .htaccess file or a plugin.
.htaccess is a configuration file that you can create and modify.
Just paste the following code into your .htaccess file at the root of your WordPress site (the solution uses mod_rewrite):
# Block requests for WordPress xmlrpc.php file RewriteRule ^xmlrpc\.php - [NC,F]
Your server must support .htaccess and mod_rewrite files – most hosts can do this.
- How to prevent Tor users from viewing or commenting on a WordPress site (100%)
- Redirect to HTTPS not working in WordPress (80.6%)
- How to block by Referer, User Agent, URL, query string, IP and their combinations in mod_rewrite (70%)
- How to protect my website from bots (70%)
- How to block access to my site from a specific bux site or any other site with negative traffic (70%)
- How to change the language of Google services (RANDOM - 50%)