aios blocking access to wordpress but site remains up

Additional information – I have tried the following:

Change php version from 8.3 to 8.1 – with no effect

Thinking somehow my ip address got blacklisted in AIOS (I don’t know why that would happen as there were no mulitple login attempts and deleting the plugin and reinstalling should have been a clean re-install) I tried the following

• used a VPN to get a new address – no impact
• used a VPN from another country to get a second new IP – no impact
• swapped out the router and also gave a new IP address – no impact

The only changes I made to this issue arising is plugin updates (AIOS won’t activate even with all other plugins deactivate) and writing a blog post. The issue did not surface until hours after the plugin updates.

Additional actions regarding htaccess file

I’ve reset the file by removing the AIOS segment as outlined in the pinned post from Tips and Trick using Option 3 – removing the lines. This did not help.

I also replaced the .htaccess with a .htaccess.backup file. This did not help either.

Hi @mwschaff,

If you can access site front end but not the login page / admin and redirects to 127.0.0.1 it might be due to Cookie base brute force on that might be an issue or your IP is permanently blocked and site front end is loading from cache.

can you please add below constant AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION and check if it solves the issue.

define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);

If not check any IP related to you or your server IP is not blocked wp_aiowps_permanent_block in table.

Regards

Thank you so much for your help.

First the good new. I added “define(‘AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION’, true);” to wp-config.php and that worked! I looked at the cookie based brute force settings and nothing seemed out of order. I also looked at lists: Locked IP addresses is empty; Permanent block list – most recent entry is beginning of January weeks before the issue started; Audit logs looked normal. In the firewall Blacklist is empty; the allow list was also empty but I’ve added my IP address.

The bad news is that while I can access the WP dashboard through my hosting service (Bluehost) I can no longer can access it directly through the web. It appears that wp-admin.php is missing. In CPanel File Manager I searched for it and although I could find a wp-admin folder there was no php file. I know I didn’t delete it.

Some questions:

• what caused all this?
• does this mean I should not use cookie based brute force prevention?
• what happened to wp-admin.php and I can I get it back?

Again thank you for your help.

Further investigation seems to indicate there is no wp-admin.php in WordPress Rather the login is domaninname/wp-admin/

when i go the domainname/wp-admin/ I get

Access to mikeschaffnerphotography.com was denied

You don’t have the user rights to view this page.

HTTP ERROR 403

Ok – making progress. I added my IP address to Brute Force/Login Whitelist and can now get to the login page via a web page.

This whole thing has my head spinning. LOL

Everything except custom login URL (which is turned off) seems to be working fine.

I see on the Brute Force/Login Whitelist “Only the addresses specified here will have access to the WordPress login page.” so that explains why I couldn’t get in without adding my new IP address.

All that remains are the questions so I better understand all this

• what caused all this?
• does this mean I should not use cookie based brute force prevention? Should I not use custom URL?
• The “Cookie based brute force login prevention” is disabled by the line I added to wp-config and also the toggle switches in the app are turned off – should I now remove the line from wp-config?

Again, thank you so much for your help

Hi @mwschaff

Yes /wp-admin/ is a folder not php file and when you try access its /wp-admin/index.php called which checks if admin not logged redirect to login page.

Now if defined AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION in wp-config.php and it do not redirect to 127.0.0.1 which means cookie based brute force on and you should try access with secret word so {site_url}?{secret_word}=1 It will save cookie in your browser for 24 hrs the again after 24 hrs it will start redirect to 127.0.0.1 and you can access with {site_url}?{secret_word}=1 only.

Above will set cookie for 24 hrs and will redirect to the renamed login page or wp-login.php it is enabled but there if you have login white list enabled it will show 403 forbidden.

Here you have 3 of the bruteforce feature on They works as below flow.

what caused all this?
Cookie based brute force applied as rule and will redirect to 127.0.01 with priority.

Renamed login page will try load the login page

Loing whitelist will check while loading renamed login page url and will show 403 forbidden

If you are access using hosting cpanel feature to Sing in as Admin it might not use the login flow authenticate hook which check all above so will go to wp-admin directly.

does this mean I should not use cookie based brute force prevention? Should I not use custom URL?

If you have the cookie based brute force on entering the {site_url}?{secret_word}=1 it will auto redirected the renamed login page url you can use both but have to use cookie based brute force secret word after next 24 hrs.

The “Cookie based brute force login prevention” is disabled by the line I added to wp-config and also the toggle switches in the app are turned off – should I now remove the line from wp-config

Yes once you have the {secretword} from WP security > Brute force > Cookie based brute force prevention and try in incognito window to access login page if worked you can remove it other wise let me know.

Regards

Great. I really appreciate you help so much. I’m mark this as resolved.