Locked Out of Your Own Site by Brute Force Protection
If you enter your password incorrectly too many times, the brute force protection will lock out your IP address. Here is how to recover quickly.
Option 1: Wait It Out
The default lockout duration is 20 minutes. If you have no server access and are not in a hurry, simply wait out the lockout period. After 20 minutes you can attempt to log in again.
Option 2: Clear the Lockout Transient via WP-CLI
# First, find your current public IP address (visit whatismyip.com)
# Then clear your lockout transient:
wp eval 'delete_transient("wp1cl_lockout_" . md5("YOUR.IP.ADDRESS.HERE"));'Option 3: Delete All Login Transients via phpMyAdmin
- Open phpMyAdmin and select your WordPress database.
- Open the wp_options table.
- Search for option_name LIKE "%wp1cl_lockout%".
- Delete all matching rows.
- You can now attempt to log in immediately.
Option 4: Disable Brute Force Protection Temporarily
If you have database access but cannot log in, uncheck "limit_login_attempts" in your wp1cl_options row in phpMyAdmin and save. This disables the brute force protection until you can log in and re-enable it.
Preventing This in Future
- Use a password manager so you never mistype your password.
- Whitelist your home or office IP address in your hosting firewall so lockouts do not affect you.
- Set the lockout duration to 5 minutes rather than 20 during initial setup, then increase it once you are confident.
- Consider enabling the "Email admin on lockout" setting so you are immediately notified if anyone (including yourself) gets locked out.
If you work from multiple locations or on mobile data (which changes IP frequently), raise the Max attempts threshold to 8 or 10 to give yourself more margin for typing errors.
Was this article helpful?
Need more help? Contact our support team →