Resolving Common Lockout Issues with Limit Login Attempts Reloaded
Content
Getting locked out of your own WordPress site by a security plugin is a frustrating and common experience. Based on community discussions, the 'Limit Login Attempts Reloaded' plugin is highly effective, but users frequently encounter lockout scenarios. This guide explains why these lockouts happen and provides the most reliable solutions to regain access and configure the plugin correctly.
Why You Might Be Getting Locked Out
Lockouts typically occur for a few key reasons:
- IP Address Blocking: The plugin primarily blocks IP addresses, not just usernames. If one user from an IP is locked out, all users from that same IP will also be blocked (Thread 4, Thread 23).
- Incorrect IP Detection: This is one of the most common causes. If your site uses a reverse proxy (like Cloudflare, Sucuri, GoDaddy, or Azure hosting), the plugin might be detecting your server's internal IP instead of your real public IP, causing it to block the wrong address (Thread 11, Thread 16, Thread 22).
- Browser Behavior: Having multiple browser tabs open on the login page can sometimes trigger multiple simultaneous login checks, which the plugin may interpret as rapid failed attempts (Thread 6).
- Existing Lockouts: If you were locked out under an old setting (e.g., 3 attempts), changing the setting to a higher number (e.g., 6 attempts) will not automatically clear the existing lockout. The old lockout timer must still expire or be manually cleared (Thread 14).
How to Regain Access Immediately
If you are completely locked out and cannot access your WordPress admin dashboard, try these methods:
Method 1: Rename the Plugin Folder via FTP/SFTP
This is the most reliable method to completely disable the plugin.
- Connect to your site's server using an FTP or SFTP client (like FileZilla).
- Navigate to the
/wp-content/plugins/directory. - Find the folder named
limit-login-attempts-reloaded. - Rename this folder to something else, like
limit-login-attempts-reloaded_old. - This will deactivate the plugin. You should now be able to log in normally.
Method 2: Change Your IP Address
Since the block is often IP-based, accessing your site from a different network can work.
- Try logging in from your phone using its mobile data connection (not Wi-Fi).
- Restart your home router. This may assign you a new public IP address from your Internet Service Provider.
- Use a VPN service to connect from a different IP address.
Once you log in from a new IP, you can navigate to the plugin's Logs tab and remove the lockout on your original IP address.
Method 3: Reset Your Password
In some cases, using the "Lost your password?" link on the login page to reset your password can also clear the lockout and allow you to log in (Thread 9).
Preventing Future Lockouts: Configuration and Troubleshooting
Once you have regained access, use these tips to configure the plugin and prevent the issue from happening again.
1. Check Your IP Detection (The Debug Tab)
Misconfigured IP detection is a primary source of problems. The 'Limit Login Attempts Reloaded' team provides a crucial tool for this.
- In your WordPress admin, go to Settings > Limit Login Attempts.
- Click on the Debug tab.
- This tab shows you how the plugin sees your IP address and the IP addresses reported by various server variables.
- The correct IP should be your public, visible IP address. If the
REMOTE_ADDRvalue shows an internal IP (like 10.0.0.1 or 172.x.x.x) and your real IP is listed under another variable likeHTTP_X_FORWARDED_FOR, your server is behind a proxy (Thread 11, Thread 16). - If you are using a service like Cloudflare or Sucuri, or are on hosting like GoDaddy or Azure, you likely need to apply a fix for your server configuration. Contact your hosting provider's support and ask them to "ensure the correct client IP is being passed to WordPress when using a reverse proxy."
2. Use the Safelist Correctly
Adding your IP address to the safelist prevents you from being locked out. However, you must ensure the plugin is detecting your IP correctly first (see the Debug tab).
- To add your IP, go to the plugin's Settings tab.
- Find the "Safelist" field and enter your IP address.
- Click "Save Changes".
- Important: Also check the Logs tab to ensure your IP is not currently on the lockout list. If it is, you must remove it from there as well (Thread 17).
3. Understand Lockout Behavior
- Lockouts are IP-based. If you share a public IP with other users (e.g., in an office), a lockout for one person will affect everyone (Thread 4, Thread 23).
- You can manually remove lockouts for yourself or customers from the Logs tab in the plugin's settings (Thread 15).
- Changing lockout settings (e.g., from 3 to 6 attempts) does not affect active lockouts created under the old rules. You must clear them manually.
When All Else Fails
If you continue to experience persistent, unexplained lockouts even after checking your IP configuration, it may be due to a deeply complex server or caching setup. In these rare cases, seeking help from your hosting provider's support team to diagnose the server's IP passthrough configuration is the recommended next step.
Related Support Threads Support
-
I always get locked out!https://wordpress.org/support/topic/i-always-get-locked-out/
-
All users blocked if one is blocked ?https://wordpress.org/support/topic/all-users-blocked-if-one-is-blocked/
-
All users account locked from same IP addresshttps://wordpress.org/support/topic/all-users-account-locked-from-same-ip-address/
-
Blocked by accident.https://wordpress.org/support/topic/blocked-by-accident/
-
Plugin Blocking All Logins – Even New Oneshttps://wordpress.org/support/topic/plugin-blocking-all-logins-even-new-ones/
-
LOCKED EVERYWHEREhttps://wordpress.org/support/topic/locked-everywhere/
-
How can I unblock someone manually?https://wordpress.org/support/topic/how-can-i-unblock-someone-manually/
-
Blocked without name or passwordhttps://wordpress.org/support/topic/blocked-without-name-or-password/
-
Users being blocked but not added to listhttps://wordpress.org/support/topic/users-being-blocked-but-not-added-to-list/
-
Can not unblock customer IPhttps://wordpress.org/support/topic/can-not-unblock-customer-ip/
-
I’m using a Sucuri firewall, how do I tell the plugin?https://wordpress.org/support/topic/im-using-a-sucuri-firewall-how-do-i-tell-the-plugin/
-
Still can’t login after plugin deletedhttps://wordpress.org/support/topic/still-cant-login-after-plugin-deleted/
-
Lockout Time Limit?https://wordpress.org/support/topic/lockout-time-limit/
-
Incase gets lock outhttps://wordpress.org/support/topic/incase-gets-lock-out/
-
Blocked from own account using multiple browser tabshttps://wordpress.org/support/topic/blocked-from-own-account-using-multiple-browser-tabs/
-
admin lockout every day on Azure VMhttps://wordpress.org/support/topic/admin-lockout-every-day-on-azure-vm/
-
The Plug-in is blocking all admin functionhttps://wordpress.org/support/topic/the-plug-in-is-blocking-all-admin-function/
-
Blocking failed logins after multiple timeshttps://wordpress.org/support/topic/blocking-failed-logins-after-multiple-times/
-
Plugin Blocks All Users on First Login Attempthttps://wordpress.org/support/topic/plugin-blocks-all-users-on-first-login-attempt/
-
Locked my selve outhttps://wordpress.org/support/topic/locked-my-selve-out/
-
site owner locked outhttps://wordpress.org/support/topic/site-owner-locked-out/
-
Locked out of sitehttps://wordpress.org/support/topic/locked-out-of-site-32/
-
Regularly Locked Out Myselfhttps://wordpress.org/support/topic/regularly-locked-out-myself/
-
IP address whitelist does not workhttps://wordpress.org/support/topic/ip-address-whitelist-does-not-work/
-
Website doesnt exist post lock outhttps://wordpress.org/support/topic/website-doesnt-exist-post-lock-out/
-
Admin Locked outhttps://wordpress.org/support/topic/admin-locked-out-8/
-
Blocked On First Login Using Correct Credentialshttps://wordpress.org/support/topic/blocked-on-first-login-using-correct-credentials/
-
User permanently blockedhttps://wordpress.org/support/topic/user-permanently-blocked/