If you’re visiting this page, most likely it is because you have been locked out of your WordPress site and cannot log in. In this tutorial, we’ll explain exactly what has happened and how you can regain access.
If you’re having trouble with your WordPress host, then check out InMotion’s WordPress Hosting solutions. We provide secure, optimized servers that priced to meet your budget needs.
Why has my WordPress Dashboard been blocked?
Access to your WordPress Dashboard has been blocked because our systems have detected a possible attack against your site. We have blocked access to prevent the hackers from continuing to target your website.
How long will this block be in place?
The block will be in place for usually 15 – 20 minutes. This means that neither the hackers nor yourself will be able to access your WordPress Dashboard. After the 15 – 20 minutes have passed and the block has been removed, the login page for your WordPress website will be available again. This also means however that hackers can once again target your site, cause the block to occur, and the vicious cycle to continue. This can be frustrating if you’re trying to log in, we understand, and we’d like to help you permanently resolve this issue.
How can I fix this issue
There are generally two things you can do to fix this issue for the long haul. The first option is to hide your WordPress login URL from hackers. They won’t know where to try to login to your site, and the blocks should stop. The second option requires you to edit your .htaccess file (can be difficult if you’ve never done it before).
OPTION #1 – Protecting my WordPress login page – RECOMMENDED
As explained above, if you hide or limit access to your WordPress login page, hackers won’t be able to get to it. If they can’t access it, they can’t brute-force your website and try to attack it! Problem solved! The best way to secure your WordPress login page is to use a plugin to change the URL – hiding the actual URL for backend access from the public. Or, you can use an .htaccess rule to limit access by specifying IP addresses that can access it.
To secure your WordPress login URL:
- You must first wait for the block on your WordPress login page to be lifted. It usually lasts roughly 15 – 20 minutes.
- After the block has been lifted, follow the steps in this article to change/hide your WordPress login page from hackers. You can use a plugin like iThemes Security to change your WordPress backend URL, or you can use .htaccess rules to allow only specific IP addresses to your WordPress Administrator URL.
For more steps you can take to prevent brute force attacks, check out our tutorial on WordPress Brute Force attacks.
OPTION #2 – Block ALL access except your own IP address – ADVANCED
If you’re familiar with editing files and you’re comfortable with editing your .htaccess file, you can follow the steps in this article to block all IP addresses except your own to your WordPress login page. This will stop hackers from reaching your login page altogether.
Congratulations! You’re now familiar with fixing a WordPress login that has been temporarily blocked. If you continue to have issues with your WordPress login, then we recommend that you contact our live technical support team for immediate assistance.
What if it’s been 2 days and the block still isn’t lifted? And you’re already on cloudflare? And you already have ithemes security blocking brute force attacks?
Hi kdimediaxKyle, I’m sorry you’re in this situation: dealing with bot related brute force attacks is never easy, and if you’ve already set up and started using CloudFlare, only to find yourself still running into running into this problem, I would recommend that you immediately set up an IP Address block with both .htaccess and the IP Deny Manager. With this, you will only be able to login from your IP address.
The article I posted above is how to deny access to your entire webpage — which may be beneficial to do for a short time (an hour or two) while you resolve the issue more in depth and let bot traffic die down. After, you can remove the site-wide IP block and replace it with one specifically protecting your WordPress login page. It looks like the formatting of that article needs a bit of fixing, so I’m going to go ahead and do that so the code is readable. Remember, if you changed the URL of your login page you’ll need to adjust the code accordingly.
I know this sort of thing can be a bit of a nuisance if you use a VPN or work from multiple locations, but it’s the most reliable way to eliminate this issue when you’re in the middle of dealing with a lot of bot traffic. Hope that helps!
The Link to the article how to hide the wp login is missing, please fix!
This sentence:
“After the block has been lifted, follow the steps in this article to change/hide your WordPress login page from hackers.”
However “in this article” is not linked to anything 🙁
Thanks for pointing it out, we will fix the link shortly.
After the block has been lifted, follow the steps in this article to change / hide your WordPress login page from hackers.
Link to article is a 404 !!!
Thanks for your feedback. We will get that fixed ASAP.
Still 404!!
I recommend following our WordPress Troubleshooting guide to narrow the cause down further.
Sorry, I meant that the link to the InMotion article is still 404.
Thank you for letting us know. I have updated the links and they should be working now.
I am getting same issue on my site the owner should not be blocked, as we use it many times in a day.
I’m sorry to see that. Following either methods above to avoid this issue will help prevent this from occurring. Once you complete one of the methods your WordPress Administrative Dashboard will then become available within 10-15 minutes.
Followed the instructions for changing .htaccess. Hours later, still no change, and the guy on the online chat says to read this page again.
I’m sorry to see that you’re still unable to get in. Can you please elaborate on the process you followed? Or is there a particular step that you are experiencing issues with or unexpected behavior?
You ROCK Fernando! Modsec got me in! Bummer that someone can lock you out of your own site so easily.
It would seem you folks might have the answer to my problem.
My WordPress.com site doesn’t allow me as the only admin to add new material. Can you provide any ideas? Here is my site. Thanks. https://whatyouthoughtiwentaway.wordpress.com/
Hello Jim,
What happens when you try to add a post or page? There is little we can do as our guides are intended for users who self host their WordPress blog, not blogs located on WordPress.com.
Best Regards,
TJ Edens
help! my website is down and i can login in to the admin page.
All that comes uo is ‘this site is temporarily disabled. please try again later’
My site is www.toluanne.com
Can anyone offer me any help?
Did you try either of the options mentioned in the article above?
It’s been WELL over an hour and I’m still locked out! This is my business and I need to get into these pages! Please advise!
If you still cannot get in after an hour, it means the time has been retriggered. This is possibly due to someone on the outside attempting to get in. You will want to contact Live Support in those cases so they can assist you further.
You may want to update this page with the info that your option one (using the HC Custom WP-Admin URL plugin) doesn’t work with the current versions of WordPress.
Hello Mark,
Thanks for letting us know about the plugin. The actual link to the article has a notice warning about the plugin’s compatibility. I have also added a notice in the message string.
If you have any further questions or comments, please let us know.
Regards,
Arnel C.
Hi, I already had BulletProof SecurityPro installed and configured and working, which of course DOES protect our wp-login.php page from brute force attacks via .htaccess, BEFORE I got locked out. Look at our root .htaccess file, which includes this brute force login page protection code:
# CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION
# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots, HackerBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ – [F,L]
I have dozens of sites using this code and though some of them sustain some very brutal brute force attacks, they have never been compromised since I started using this security plugin. Now my client is out of town for 4 months and I have no way of keeping her site updated for her! Please open the site to me, and if anything further needs to be done please let me know.
Hello Hannah,
I regret to hear that you’re unable to access that site, but I suggest you contact live support so they can get the necessary account verification to make those kinds of changes.
So, if I have members who have to log in through WP to access their accounts, and I have more than one person who logs in as admin to work on the site, (both of which appears to mean that I cannot limit access to one IP address and that I cannot hide the login URL), what are my options to keep the site from displaying this message whenever our members are trying to log in and access their recipes (we are a recipe database website)? I’m puzzled and frustrated with the process since our old hosting (WebSynthesis), which we just moved from a couple of months ago, did protect our database without having to lock the system down. Thank you for your help.
Hello Melanie,
Thank you for contacting us. If your IP addresses change, you can protect your WordPress site by only allowing login requests coming directly from your domain name.
Alternately, you can also allow access from multiple IP addresses.
Thank you,
John-Paul
Hi Team,
I´m not able to access WordPress for prodiveinternational.com for the 4th consecutive day now, but still getting the error above. Our external websupport just informed me that they have added a wordpress plugin that limits bad passwords to 4 then it locks them out for a period of time. The Error seems to be coming from inmotion they say, as they´ve just tested and can connect to the wp-admin.
Therefore, can you please remove the block for my ip address!?
Thanks,
Susann
Hello Susann,
If you have followed the instructions above and implemented a security mechanism to prevent this, you can contact our Live Support and have them remove the mod_sec rule that triggers the block for your account.
Kindest Regards,
Scott M
Hi,
I have hided my login page now. And thanks to that, now I no longer have access to my admin at all. Not via the old login url and not via the new login url.
I have a security plugin that protects me from login attempts so why are you interfering in? Everything was fine before you blocked my website. And it still is blocked. This is BULLSHIT ! Stop it or I will move to other hosting provider !
Hello Ines,
Apologies for the problems with the WordPress login. Can you give us some more information on the login page that you’re having issues with? We would need to test with the URL that you are now using. If you can provide us a little more info, we can investigate it further.
Apologies for the continued issues. Please provide us a little more info and we can look further into the problem.
Regards,
Arnel C.
Just to comment that the Single IP suggestion worked perfectly for me and I am back in after a lock out. I might emphasize to others that part of the complete fix to work is “waiting the 15-20 minutes” after making the htaccess update. I waited 23 mins. and right in I got…so thanks guys for the great instructions.
Hi,
I have been locked out of my site for 24 hours now. My understanding is that the block is only supposed to last for 15-20 minutes. Is something wrong? My site is https://doublerrstudios.com
This is extremely frustrating. It appears I cannot use the mehtods described in this article until the block expires. Why hasn’t the block expired?!?!
Hello andrew,
Thank you for contacting us today. If you are still locked out after 20 minutes, most likely the brute-force attempts on your site are continuing, or there is a 3rd party plugin/addon issue.
In step 2 above, it states: “Please note!
If you’ve waited 20 minutes and cannot login to your dashboard, you will need to follow the directions in this article…”
This should allow you to regain access within 20 minutes.
Thank you,
John-Paul
We apologize for the inconvenience! You are seeing this message because your site has recently been targeted by attackers attempting to gain access to your WordPress Dashboard. In order to protect your site your WordPress Login page has been temporarily disabled.
Unfortunately, you will be unable to login to the Dashboard until the block expires.
PLz solve you solution for admin
Hello Kazim,
Thank you for contacting us. Sorry to hear you are having trouble logging into WordPress. Have you tried one of the 2 methods described above?
If your problems persist, you can disable Mod_security as a test.
Thank you,
John-Paul
I am one of two admins for our account. I tried the htcustom, but then all users immediately say a pop-up login screen that did not allow them to retreive a lost password so I had to remove that.
What I would like to do is have a special way for only admins to get in, but we work from different locations and via traveling laptop, so i don’t think the IP solution will work.
What do you suggest?
Hello Tere,
Sorry for the problem with the login. If you were having problems with the custom login plugin, it’s possible that another security setting or plugin was interfering. There are other plugins that you might want to try. For example, Custom login URL. There are others such as Custom Login 3.0 (updated 1/20/2015) which might also provide a solution for you. If the plugins aren’t working for you then you may need to contact a developer to create a custom way for you to login to the website.
Regards,
Arnel C.
I changed my login URL’s s several months ago when this first happened, and I’m getting the blockage again! I have the longest most complicated passwords in history. Perhaps I could worry about my own blogs instead of the system getting all nervous when it sees too many log on attempts! I’ve never had an issue with WordPress until I began hosting here!
Hello MysticInvestigations,
You can contact our Live Support and have them disable the mod_security rule for your account that performs this check.
Kindest Regards,
Scott M
Okay, so after being blocked. I’m now back in……….Admin login page has been changed by the suggested plugin.
But my front end is GONE. I can still get around in the Admin area just fine, my pages and post are just fine. But when I go to Visit Site, there is nothing…….just a blank screen. I’ve changed themes to see if that would work, and still nothing.
HELP, Please. (www.sonnyslisttmp.com)
Hello Sonny,
Jacob and I were looking at the site and it appears that there was a plugin conflict with wp-live-chat-support-pro and htcustom admin plugin. We disabled them and the page comes up with no problem. However, you may want to login with with the WordPress admin and disable the plugins for now. The problem is definitely related to a conflict with one or both of these plugins, because the front end does work when it’s disabled. We unfortunately cannot resolve that for you, but you may want to contact the author of the plugin to proceed.
Let us know if you have any further questions or comments.
Regards,
Arnel C.
Did not tell me how to regain access to my webpage as stated
Within this article, you may review the various options under the How can I fix this issue? header which will block unauthorized attempts that cause your login to become disabled.
What do I do in the case where I have member to my site that login to view training videos? I can’t hide the login page for them.
Thanks
***Notice: The HC Custom WP-Admin Plugin has not been updated since 2013-11-19, and is only compatible up to WordPress 3.7.11
Hello Sam,
You would just need to give your members the new login page URL if you decided to use the Lockdown WP Admin to change your login URL.
Otherwise you’d need to lock down WordPress admin access with .htaccess by either using a secondary admin password or restricting access by IP address.
Please let us know if you had any further questions at all.
– Jacob
I am baffled as to what to do.
I was told to advised to use Inmotion and WordPress as for those with very limited IT experience this was by far the easiest and most reliable team.
I am still locked out and am starting to get extremely frustrated I do nove to go and pay for a webmaster which is exactly at I didn’t want !!!
Both hiding your WordPress login and restricting access to your own IP as explained in this article are great ways to stop the brute force attacks as well as allow you back into your site. If you are unable to successfully accomplish his based on the steps in this article as well as the articles that are linked from it, you may want to contact technical support where they are able to access your account and locate what exactly you may be doing wrong.
This is an incredibly annoying feature. I wish I had known about the ModSec manager before importing a new version of a site to an existing WP install. After pointing to the new DB in wp-config.php and refreshing /wp-admin to log in, an attempt of entering my credentials immediately resulted in this block. Now, the site I’m trying to work on is stuck in limbo for the moment. Extremely annoying for power users. Thanks for the mention, Fernando. Now I know for future reference. And now, back to waiting…
Hello D. Hitem,
Sorry for the headaches with the WordPress login headaches. Unfortunately, as noted by WordPress, brute force attacks to hit their application because of its popularity. While turning off ModSec can help you avoid some of the security foibles, it’s not recommended as you’re removing the server-wide rules to help mitigate these attacks. The .htaccess rules are highly recommended. Check out this article for further information:
Stopping WordPress brute force
Please understand that this is definitely a hot-button topic with web hosting these days, so it’s constantly being reviewed. We should hopefully see improvements to the modsec rules to prevent these issues from continually happening in the near future.
Regards,
Arnel C.
You can also disable the ModSec manager through cpanel, and it will unlock your site.. just while you do necessary security changes and then re-enable it to enforce more security.
Hi, Our wp-admin access has been blocked for longer than 15 – 20 minutes, more like 1 hour. Please lift the ban so we can make the necessary changes to protect it from future.
We appreciate you taking the steps to protect our site. May we have it back now. Thanks!
T. Zimmer
Domain: www.joyofhandspinning.com
This is a systematic lockdown that is in effect for all users. To avoid it, you will need to lock down your WordPress admin using .htaccess. Both of these methods are shown within this article. Once this is in place, your WordPress admin will then become available within 10-15 minutes.