BugWP logo BugWP
Back to Community
Home / Community / PluginAll-in-one security (aios) – security and firewall

Resolving the 403 Forbidden and 127.0.0.1 Redirect Lockout in AIOS Security

65 threads Sep 10, 2025 PluginAll-in-one security (aios) – security and firewall

Content

One of the most common and stressful issues users report with the All-In-One Security (AIOS) plugin is being suddenly locked out of their WordPress admin area. This typically manifests as an HTTP 403 Forbidden error or a redirect to 127.0.0.1 when trying to access wp-admin or wp-login.php.

This guide will explain why this happens and provide the most effective methods to regain access to your site.

Why Does This Lockout Happen?

The AIOS plugin is designed to harden your WordPress security. The lockout occurs when a powerful security feature is enabled but misconfigured or conflicts with another setting. The most common culprits are:

  • Login Whitelist: If this is enabled and your current IP address is not on the whitelist, you will be blocked with a 403 error.
  • Cookie-Based Brute Force Prevention: This feature adds a secret word to your login URL. If you forget the secret word or try to access the standard login page, you are redirected to 127.0.0.1.
  • Renamed Login Page: Forgetting the custom slug you set for your login page will prevent you from accessing it.
  • Firewall Rules: Certain advanced rules, like the Advanced Character Filter or 5G/6G Blacklist, can sometimes block legitimate traffic, especially on sites with non-ASCII characters in URLs (e.g., Arabic, Cyrillic).

How to Regain Access to Your WordPress Site

Follow these solutions in order. The first method is the quickest and most common fix.

Solution 1: Use a Configuration Constant (Quick Fix)

The fastest way to disable the security feature causing the lockout is to add a special constant to your site's wp-config.php file. You can do this via your hosting control panel's File Manager or FTP.

  1. Locate and edit the wp-config.php file in your WordPress root directory.
  2. Add one of the following lines of code above the line that says /* That's all, stop editing! Happy publishing. */.
    • For 403 Errors / IP Whitelist Issues:
      define( 'AIOS_DISABLE_LOGIN_WHITELIST', true );
    • For 127.0.0.1 Redirects:
      define( 'AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true );
    • To Disable the Entire Firewall:
      define( 'AIOS_NO_FIREWALL', true );
  3. Save the file and try to access your login page again. You should now be able to log in.
  4. Once logged in, remember to remove the constant from wp-config.php and properly reconfigure the problematic AIOS setting to avoid leaving a security hole.

Solution 2: Rename the Plugin Folder (Nuclear Option)

If the constant method doesn't work, you can force the plugin to deactivate.

  1. Connect to your site via FTP or your hosting File Manager.
  2. Navigate to the /wp-content/plugins/ directory.
  3. Find the folder named all-in-one-wp-security-and-firewall.
  4. Rename this folder to something else, like all-in-one-wp-security-and-firewall-off.
  5. This will deactivate the plugin. You should now be able to access yoursite.com/wp-admin.
  6. After logging in, rename the folder back to its original name to reactivate the plugin. You will need to reconfigure its settings.

Solution 3: Fully Reset the Plugin (For Forgotten Settings)

If you've forgotten a renamed login slug or want to wipe all AIOS settings, you need to remove its data from your database and server after deactivating it (using Solution 2).

  1. Database: Using a tool like phpMyAdmin, run this SQL query to delete AIOS options:
    SELECT * FROM wp_options WHERE option_name LIKE '%aio%'
    (Note: Replace wp_ with your database prefix if it's different). Carefully delete the identified rows.
  2. .htaccess File: Edit your root .htaccess file. Find and remove all lines between and including # BEGIN All In One WP Security and # END All In One WP Security.
  3. Other Files: Check for and delete the file /wp-content/mu-plugins/aios-firewall-loader.php if it exists.

Conclusion

Being locked out of your site can be alarming, but it is almost always reversible. The key is to understand that these security features are working as intended—they are just working too well for your specific configuration. The wp-config.php constants provide the safest and fastest way to regain access without losing your plugin settings. Always ensure your IP is correctly whitelisted and you have recorded any custom login URLs or secret words before enabling these powerful security features.

Related Support Threads Support