How to Unblock Limit Login Attempts in WordPress [4 Easy Methods]

Unblock limited login attempts

Are you locked out of your WordPress? That’s what happens when you exceed the total limit attempts on WordPress. 

There can be several reasons why this might happen. You might have forgotten your password, forgotten that your capslock is on, or you just could not type for some reason because you are having a horrible day.

Whatever the reason might be, the verdict is: you are in trouble.

But don’t worry!

We are here to help you out. This article lists four ways to unblock limited login attempts. We know you are desperately trying to get back to your website, so let’s jump right in!

04 Methods to Unblock Limit Login Attempts

Here are four ways to get back to your admin dashboard again.

Method #1: Clear Lockouts from phpMyAdmin

All the WordPress plugins that help you implement login attempts store lockouts in your WordPress database. Clearing that data should help you re-enter your admin dashboard. 

Five steps to clear lockout from the file manager:

  1. Access your hosting control panel (e.g., cPanel, Plesk) and open phpMyAdmin.
  2. Find your WordPress database and click on it.
  3. Look for the table named something like `wp_options.` 
  4. Search for the option name; depending on the plugin, the name can vary. For example, if you use AIO Login, it should be named `aio_login_attempts.`
  5. Delete the row containing the lockout details or reset the value.

Method #2: Renaming the Limit Login Attempts Folder

A plugin can not function if WordPress can’t read it. Therefore, renaming the plugin’s folder, which causes the problem, can also help eliminate the issue. Here’s how to go about it.

Four steps to rename the folder:

  1. Connect to your site using an FTP client (like FileZilla).
  2. Navigate to /wp-content/plugins/
  3. Rename the Limit Login Attempts plugin folder to something else. For example, you can add random letters ahead of the login attempts folder, such as ‘aio-login-attempts’ >> ‘aio-login-attempts-abc.’ This name change will disable the plugin.
  4. Log into your WordPress site. Afterward, rename the folder back to the previous name. In this case, aio-login-attempts.

Method #3: Disable All Plugins

As we discussed in the previous section, renaming a plugin’s name can prevent WordPress from reading it. Similarly, renaming the plugin folder will disable all plugins. Later, you can enable them by renaming the name to default. 

Here are four quick steps to do that:

  1. Use FTP to go to /wp-content/plugins/
  2. Rename the entire plugins folder to something else, like “plugins_disabled.”
  3. Login to your WordPress.
  4. Rename the folder back to `plugins` and reactivate the necessary plugins from the dashboard.

⚠️ This method can be problematic if your website heavily relies on WordPress plugins for functionalities. This method may cause you to configure and set up all the plugins again.

Method #4: Contact Your Web Host

Last but not least, contacting your host can also help you fight the problem. Your host can effortlessly reset your password or disable the plugin without having to set up all the plugins again, making it the ideal choice to unblock limit login attempts.

The process varies depending on your host, but it’s straightforward. All you have to do is reach out to your host, create a ticket, and sort the issue out. It’s that easy!

Why Limit Login Attempts is Essential?

Now that you are back in your WordPress admin dashboard, you might question the need to limit login attempts. Before you question it, take a look at this thought-provoking fact: 11,000 brute-force attacks occurred every second in 2023.

If you are unaware of brute force attacks and their deadly consequences. Here’s what it is and how it can impact your WordPress and business.

Brute Force Attack: What is it and How Does it Work?

Brute force is a cyber attack that uses trial and error to ‘guess’ sensitive information about a user, including login credentials, passwords, credit card information, etc. It is a fairly common cyberattack that doesn’t require any advanced software. It is usually performed using automated bots that continuously try thousands of password combinations in seconds.

The attackers or robots usually start with common passwords like 123456 or admin and eventually progress to more complex ones, such as common combinations like qwerty123 or admin123

Perpetrators also use credentials stolen from previous data breaches or bought from the dark web. This practice is known as credential stuffing, and it can be super deadly for users who use identical passwords for multiple accounts. 

Cyber attackers may employ a method known as a dictionary attack, which involves using a predefined list of commonly used passwords or words to guess a user’s password. This list may include variations, such as leetspeak, where letters are substituted with similar-looking numbers or symbols (e.g., replacing ‘e’ with ‘3’ or ‘a’ with ‘@’). While dictionary attacks can efficiently crack simple and commonly used passwords, they can also target more complex passwords that follow predictable patterns.

06 Ways to Prevent Brute Force Attacks 

Now that you understand the dangers of brute force attacks. Here’s how to protect your WordPress from it. Before jumping in, don’t forget to download All-in-One Login—a WordPress plugin offering robust login page security.

  • Re-Enable the Limit Login Attempts: If, after all the hassle of unblocking yourself, you do not feel like opening the feature again, that can be problematic for you. Thus, we recommend enabling the feature by navigating to the AIO Login settings >> Login Protection tab >> Limit Login Attempts subtab. Documentation: How to Implement Limit Login Attempts.
  • Set up a Custom Login URL: The default login URL is highly vulnerable. Anyone, including perpetrators, can access your WordPress by adding /wp-login.php/ in front of your domain and performing a brute force attack on your admin dashboard. Therefore, changing your default login URL to something more confidential can be beneficial for your site’s security. Documentation: How to Secure Your Login URL.
  • Set up Two-Factor Authentication: Multi-factor authentication protects your WordPress even if your password is cracked. The feature requires the user to authenticate their login attempt with another factor, usually validated by the admin’s mobile phone. Hence, it traps the attacker who doesn’t have the second authentication factor. Documentation: How to Set Up Two-Factor Authentication (2FA) for WordPress.
  • Enable reCAPTCHA: reCAPTCHA prevents automated bot attacks by imposing a test on users to discriminate between bots and humans. The test usually requires choosing specific objects from a set of images. Combine it with other security measures to enhance your security. Documentation: How to Add reCAPTCHA to WordPress Login

⚠️ If your reCAPTCHA fails or misbehaves, that could be because of your site’s code, plugin, or version conflict. Refer to this article, where we listed four ways to fix reCAPTCHA not working in WordPress.

  • Monitor Login Activity: Regularly monitoring your login activity can hint at potential brute force attempts, allowing you to block specific IPs that continuously attempt to log in. Documentation: How to Monitor WordPress User Login Activity.
  • Use Strong and Unique Passwords: Use strong and unique passwords for each account, and never use the same password for multiple accounts to protect your WordPress from credential stuffing. Also, do not use easy-to-remember passwords. Instead of using personalized passwords like your or your loved one’s name or birthday, use a combination of uppercase and lowercase letters, numbers, and special characters. Utilize password managers that help you store strong passwords. Learn More: Common Password Mistakes That Put Your WordPress Security at Risk.

Conclusion

Getting locked out of your own WordPress is frustrating. However, your site’s security is more than a moment of frustration. Therefore, do not let this tiny moment of inconvenience cause you to stray further from this vital part of WordPress security. 

Implement the feature today because even if you lock yourself out, you know how to unblock limit login attempts. If you face any problems with All-in-One Login or WordPress in general, do not hesitate to give us a call. Our dedicated support team is determined to help you out! 

For the best login page protection, try All-in-One Login today!

Unblock Limit Login Attempts — FAQs 

What is the limit login attempts?

Limit login attempts is a security feature that temporarily blocks the users after a set of incorrect login attempts.

How many login attempts should I allow?

You should go for three. Usually, users type very carefully after two failed login attempts. Three attempts allow them to reflect on the issue (i.e., capslock is on) and type the correct password even after failing twice.

How do I see all login attempts?

All-in-One Login’s Activity Log can help you track all login attempts. The plugin also allows you to ban or allow specific IP addresses to prevent further failed login attempts. You can find the feature by navigating to the WordPress >> All-in-One Login settings >> Activity Logs >> Failed Logins.

What is the login limit reached?

If you see an error that says ‘login limit reached,’ it means there is a policy that prevents multiple login attempts from a single IP address. To try your password again, you must wait until the timer runs out.

Scroll to Top