Admin is Locked Out
-
Hi,
I have accidently put wp-admin/* in the banned URLs in Wordfence. Now, I (admin) is locked. I am unable to login on admin console.
I have filled my email ID on the block page and it has not sent any instructions to me for resetting or unlocking my account. Please help if there is any other way.
-
Thanks for reaching out.
Putting this here for anyone searching who has the same issue.
Please do not ever block wp-admin. This blocks the folder wp-admin, not the wp-admin url. The /wp-admin folder has lots of things that your site needs to function, like admin-ajax.php – the WordPress ajax handler for example. Blocking the /wp-admin url doesn’t make your site any more secure but I know that many people swear by it. I’ll add some reasons for our position on this at the end of this post so I can help the customer first.If you need immediate site access, please use FTP/SFTP — or any file manager your web host provides via their administration panel. Look inside the /wp-content/plugins/ directory and rename the wordfence directory to wordfence.bak. Once you have logged in to your WordPress admin you can name the folder back again to wordfence and change the setting that caused you to be locked out.
The unlock emails actually come from your website and not our servers. If you aren’t getting emails it usually boils down to one of a few errors.
The emails (they come from [email protected]) are getting sent to your junk mail folder by your email client or provider. Make sure and whitelist or add your website to the list of safe domains so you get emails consistently.
- Your web server is having a problem with the email software on it. This isn’t like regular emails you send and receive, but rather server alert messages. Usually a restart of postfix or sendmail (whichever is installed) can fix it. Your hosting provider may need to help with this.
- You hosting provider has disabled SMTP from the server for some reason like preventing the server from being used to spam people.
- You have a third party plugin for sending emails with another service, like Gmail, which isn’t working. Reaching out to the plugin author for support can help.
Regarding renaming the wp-admin URL:
We currently do not offer a feature for changing the wp-admin URL for three primary reasons:- Changing WordPress URLs involves a risk of breaking functionality of WordPress themes and plugins. For example, WordPress JavaScript XMLHttpRequest object (AJAX) functions are triggered via admin-ajax.php which is located in wp-admin folder.
- Changing the URL makes us feel more secure but it does not actually make the site more secure. It is what many security analysts refer to as “security through obscurity”. It’s like boarding up the front door of your home to protect yourself against a burglary. Someone looking for a quick break in may be deterred, but any seasoned thief is just going to go look for another door or windows to get in. Any serious attacker will anticipate this and look for other ways in too.
- More than half of all login attempts that are made on WordPress sites are made via xmlrpc.php. Those will not be stopped by changing your admin URL. You can block XML-RPC using Wordfence on the Wordfence > Login Security > Settings page on your site. You can also require 2FA for XML-RPC call authentication. This means that XML-RPC calls that require authentication will also require a valid 2FA code to be appended to the password. You need to choose the “Skipped” option if you use the WordPress app, the Jetpack plugin, or other services that require XML-RPC.
Additionally, if you change the wp-admin or wp-login URLs you also lose visibility on who is attempting to log in to your site and when they are doing it since security plugins aren’t looking for logins on a random URL that you created.
Hope this helps.
Tim
- The topic ‘Admin is Locked Out’ is closed to new replies.
