Back to Community
Home / Community / PluginWordfence security

How to Regain Access to Your WordPress Site When Locked Out by Wordfence

34 threads Sep 7, 2025 PluginWordfence security

Content

Getting locked out of your WordPress admin dashboard is a common and frustrating experience, especially when it's your own security plugin preventing access. Based on community reports, this often happens due to Two-Factor Authentication (2FA) issues, forgotten recovery codes, or the firewall's Brute Force Protection feature. This guide will walk you through the most effective methods to regain control of your site.

Why Am I Locked Out?

Lockouts typically occur for a few key reasons:

  • Two-Factor Authentication (2FA) Problems: Losing access to your authenticator app (e.g., Google Authenticator) or its generated codes is a frequent cause. This can happen if you get a new phone, delete the app, or the codes simply stop syncing.
  • Brute Force Protection: The Wordfence Security firewall may temporarily limit access after multiple failed login attempts, even if they were your own. This can sometimes block legitimate administrators.
  • reCAPTCHA Conflicts: Enabling reCAPTCHA, especially on a custom login page (from a theme, membership plugin, or page builder), can cause expiration errors and prevent successful logins.
  • Plugin or Theme Conflicts: A recent update to another plugin or your theme can interfere with Wordfence's login security features, causing unexpected behavior.

How to Regain Access: Step-by-Step Solutions

Method 1: The Universal Fix – Rename the Plugin Folder (FTP/SFTP)

This is the most reliable method to bypass Wordfence entirely and is recommended if you cannot log in at all. It deactivates the plugin without deleting any of its settings.

  1. Access your website's files using an FTP/SFTP client (like FileZilla) or the file manager in your web hosting control panel (e.g., cPanel).
  2. Navigate to the /wp-content/plugins/ directory.
  3. Find the folder named wordfence.
  4. Rename this folder to wordfence.bak or wordfence_bak.
  5. Now, try to access your WordPress login page (yoursite.com/wp-admin). You should be able to log in without any 2FA or firewall restrictions.
  6. After successfully logging in, you can rename the folder back to wordfence to reactivate the plugin. You will then need to troubleshoot the specific issue that caused the lockout (see below).

Method 2: If You're Receiving a "Blocked" Message

If you see a message like "Your access to this site has been temporarily limited," you can often use the built-in unlock email feature.

  1. On the blocking page, enter your administrator email address and click the button to send an unlock email.
  2. Important: This only works if the email is associated with a valid administrator account on the site.
  3. Check your inbox for the unlock email and follow the instructions. If you do not receive the email, check your spam folder or proceed to Method 1.

After You Regain Access: Troubleshooting the Root Cause

Simply reactivating Wordfence will likely cause the problem to return. Once you're back in your dashboard, follow these steps to fix the underlying issue.

For 2FA Issues:

  • Go to WordPress Admin > Users > Your Profile.
  • In the Wordfence Login Security section, deactivate and then reactivate 2FA for your account.
  • Crucially: When you set it up again, make sure to download and safely store your new recovery codes. These are your lifeline if you lose your authenticator app again.

For reCAPTCHA or Login Problems:

  • Ensure you are using the default WordPress login page (yoursite.com/wp-login.php). The Wordfence Security team states that their 2FA and reCAPTCHA are designed for default WordPress and WooCommerce login pages only. Custom login pages from themes or other plugins are a common source of conflict.
  • If you use WooCommerce, go to Wordfence > Login Security > Settings and ensure "WooCommerce integration" is enabled.
  • Temporarily disable reCAPTCHA in Wordfence > Login Security > Settings to see if that resolves the immediate problem.

For Firewall (Brute Force) Lockouts:

  • Go to Wordfence > Blocking to see if your IP address is listed. If it is, you can remove the block manually.
  • Review your settings in Wordfence > All Options > Brute Force Protection. You may want to adjust the lockout time or the number of failed attempts allowed, especially on development sites.

When to Suspect a Conflict

If the problem started after updating a plugin, theme, or WordPress itself, a conflict is likely. To test this:

  1. Switch to a default WordPress theme (like Twenty Twenty-Four).
  2. Disable all other plugins except Wordfence.
  3. Try to log out and log back in. If it works, reactivate your plugins and theme one by one, testing after each, to identify the culprit.

By following these steps, you can quickly resolve most lockout scenarios and configure Wordfence Security to protect your site without accidentally locking yourself out.

Related Support Threads Support