First I’m going to talk about how you could accidentally get locked out of your blog, then how to remove that lockout, then after covering that, I’ll talk about how to avoid it in the future.
How do you get locked out of your blog?
There are two main reasons you could get locked out of your blog due to iThemes Security:
- You have set iThemes Security to lock out users who cause too many 404 errors. If you have 404 errors on your blog (in the form of a missing file, etc.) you could accidentally lock yourself out just through normal browsing!
- You have set iThemes Security to lock out a username after too many failed login attempts. If someone attempts to login with your username and fails too many times, your username could be locked out, which could prevent you from logging in even if you have the right password.
Deleting the lockout from your database
In order to manually remove a lockout, you have to remove the entry from your WordPress database. This is dangerous! Your database is where all your posts, comments, pages, and other data are stored. You have to be extremely careful when poking around.
To access your database, you have to login to phpMyAdmin. The process for doing this is different for every web host, but usually you login to your web host control panel and either look for phpMyAdmin, Database, or MySQL. But ultimately, you need to be logging into phpMyAdmin (often that means clicking “MySql”, then clicking something like “Login to phpMyAdmin”). If you can’t find it, contact your host and ask how to login to phpMyAdmin.
After logging in, you’ll see a list on the left with your database names. Most people will probably only have one entry. If you have more than one, you have to figure out which one is your WordPress installation.
Click the plus (+) sign on the left to expand the database. Then find the table named xx_itsec_lockouts. The “xx” could be anything because you can set a custom prefix on WordPress (the default is wp_, but again, yours could be any letters). Click that table name.
This will bring up a list of all the entries in this table. It will basically be a list of all the past lockouts. You have to find yours and delete it.
If your IP address was locked out (likely because of too many 404 errors), you have to find your IP address. In a new tab, go to whatismyip.com. The site will say Your IP: followed by some numbers. Copy those numbers. Then return to phpMyAdmin and click “Search” at the top. Find the lockout_host field and paste your IP address into the “value” box next to it. Then click Go at the bottom. This will show you all the lockouts for your IP address. Delete them to remove the lockout.
If your login name has been locked out, you have to find the lockout corresponding to your username. Click the “Search” button at the top of the page. Then find the lockout_user field and paste your user ID number in the box next to it. This is not your username; it’s your user ID number (so an integer). By default that’s usually 1.
Then, click Go in the bottom right. This will show you all the lockouts for your username. Delete them to remove the lockout.
You should now regain access to your blog!
How to ensure it doesn’t happen again
Preventing 404 errors
If you got locked out due to 404 errors, the easiest fix is just to turn off that setting iThemes Security. But if you only do this, you’re not fixing the root problem.
A 404 error doesn’t just mean going to a page on your blog that doesn’t exist. It could also mean your blog is pointing to a file (like an image) that is broken or doesn’t exist.
To see if your blog has 404 errors, visit it in Google Chrome. Then, right click anywhere on the page and click “Inspect Element”. Then, switch to the “Console” tab. If you have any 404 errors, they will show up like this in red:
Or, if you have the Linky Followers widget on your blog, every single page will show this:
That’s right, the Linky Followers widget triggers four un-fixable 404 errors on every single page load. Having that widget is the fastest way to get locked out of your own blog.
Step 1: Find out what the 404 errors are
The developer tools window will show you exactly what errors are triggering. Find those files.
Step 2: Fix/remove the broken files
Fix the broken images or remove them all together. Get rid of those 404s! Or if you’re using the Linky widget, I suggest removing it all together.
Fixing username lockouts
Your WordPress username should be like a password: secret. Your only options here are:
- Turn off the “lock out usernames” feature in iThemes Security.
- Change your username.
I personally recommend that you change your username. If those hackers know your username, they’re already halfway to getting into your account. Changing your username is easy. Simply create a new administrator account, then delete your old one. When you delete your old one, you’ll be given the option to reassign those posts to a different user (the new one).