BugWP logo BugWP
Back to Community
Home / Community / PluginAll-in-one security (aios) – security and firewall

Resolving Lockouts and Redirects After Installing or Updating All-In-One Security (AIOS)

29 threads Sep 17, 2025 PluginAll-in-one security (aios) – security and firewall

Content

One of the most common and frustrating issues users encounter with the All-In-One Security (AIOS) plugin is being unexpectedly locked out of their WordPress admin dashboard. This often manifests as a redirect to 127.0.0.1, a "Not available" message, a 403 error, or an "Incorrect CAPTCHA" loop. This guide will explain why this happens and provide the most effective solutions to regain access to your site.

Why Does This Happen?

The AIOS plugin is designed to protect your site by implementing powerful security features. However, if these features are configured and then the plugin is deactivated, updated, or reinstalled without a proper reset, their protective rules can remain active. When you reactivate the plugin, it reads these old settings and immediately enforces them, often blocking your access. The most common culprits are:

  • Cookie-Based Brute Force Prevention: This feature hides your login page. If enabled and then forgotten, you will be redirected to 127.0.0.1 when trying to access wp-login.php.
  • Login Whitelist: If you enabled this to only allow specific IPs to access the login page, your current IP might not be on the list.
  • Renamed Login Page: If you renamed your login page (e.g., to my-secret-login) and then deactivated the plugin, you will need to use that custom URL to log back in.
  • CAPTCHA Settings: A misconfigured or cached CAPTCHA can prevent logins even with correct credentials.

How to Regain Access and Fix the Problem

Method 1: Disable Security Features via wp-config.php (Most Common Solution)

This is the fastest way to stop AIOS from enforcing the problematic settings. You will need access to your site's files via FTP, SFTP, or your hosting provider's file manager.

  1. Locate your WordPress installation's root directory and find the wp-config.php file.
  2. Edit the file and add one of the following lines of code just before the line that says /* That's all, stop editing! Happy publishing. */.

    For 127.0.0.1 redirects: 
    define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);
    For "Not available" or IP whitelist issues: 
    define('AIOS_DISABLE_LOGIN_WHITELIST', true);
    For login lockout messages: 
    define('AIOS_DISABLE_LOGIN_LOCKOUT', true);
  3. Save the file and upload it back to the server if necessary.
  4. You should now be able to access your WordPress admin dashboard using the standard wp-login.php URL.
  5. Once logged in, go to the AIOS settings to reconfigure or disable the specific feature causing the issue. Remember to remove the line of code you added to wp-config.php afterwards, as leaving these constants defined disables important security functions.

Method 2: Perform a Complete Plugin Reset

If the above doesn't work or you want to start from a completely clean slate, you need to remove all traces of the plugin. Simply deactivating and deleting it from the WordPress plugins menu is often not enough.

  1. Delete the plugin folder via FTP/SFTP: Navigate to /wp-content/plugins/ and delete the all-in-one-wp-security-and-firewall folder.
  2. Remove the Must-Use Plugin (if it exists): Navigate to /wp-content/mu-plugins/ and delete the file aios-firewall-loader.php.
  3. Clean your database: Using a tool like phpMyAdmin, run a SQL query to delete all AIOS options and tables.
    • Delete options: DELETE FROM wp_options WHERE option_name LIKE '%aio%' OR option_name LIKE '%aiowps%'; (Replace wp_ with your database prefix if different).
    • Drop tables: DROP TABLE wp_aiowps_events, wp_aiowps_failed_logins, wp_aiowps_global_meta, wp_aiowps_login_lockdown, wp_aiowps_permanent_block, wp_aiowps_login_activity;
  4. Clean your .htaccess file: Edit the .htaccess file in your root directory and remove any code between the # BEGIN All In One WP Security and # END All In One WP Security comments.

After completing these steps, you can safely reinstall the AIOS plugin fresh from the WordPress repository.

Conclusion

Being locked out of your site can be alarming, but it's usually a solvable configuration conflict. The key is to use the wp-config.php constants to temporarily disable the security features preventing access. For a permanent fresh start, a complete manual removal of all plugin files and database entries is the most thorough approach. Always ensure you note down any custom settings, like a renamed login slug or secret word, before making changes.

Related Support Threads Support