For most WordPress issues, you’ll log into your site and work with the information you get on your dashboard. However, if you’re locked out of wp-admin, you won’t have this luxury. Instead, you’ll need to root out the problem through your server and database.

In some cases, human error can play a part. For example, your login credentials could have a mistake. However, there can be deeper problems that require a heavier fix, such as repairing file permissions or even fighting a malicious attack.

This post will show you how to get back in once you’re locked out of wp-admin. Here’s what we’re going to cover:

  1. Making sure your login credentials are correct.
  2. Checking whether a security plugin is blocking your access.
  3. Ensuring that you head to the right login URL.
  4. Confirming that your site directs to the right URL.
  5. Checking your WordPress file permissions.
  6. Fixing .htaccess if you run an Apache server.
  7. Increasing the PHP memory limit for your site.
  8. Fixing other errors that could cause you to be locked out of wp-admin.
  9. Checking whether your site is dealing with a malicious attack.
  10. Restoring from a clean backup, or reinstalling WordPress from scratch.

The first method on our list should be simple enough, but does have some caveats we need to cover.

1. Use the Correct Username and Password

The most basic of checks involves using the right username and password at the login screen. You’ll need to double check that you enter the credentials you think are right correctly. However, we’d often recommend you change your password using the dedicated link on the login screen:

The WordPress login page, with the Lost your password? link highlighted.

If this doesn’t resolve the issue, and you know that the credentials are correct, you may have to head into your MySQL database.

A MySQL database within the Adminer interface.

You’re able to change your user password here. In fact, you can set up a complete new user, and we have an in-depth guide on how to do this. The quick summary is that you find the relevant username within the wp_users table, and change the password complete with ‘MD5 hashing.’ This is a form of encryption that’s important to keep your site and its data secure.

2. Disable Your Security Plugin

WordPress security plugins will be an almost necessary component of your site. The right plugin can offer you and your users a lot of protection. Sometimes, you might have too much security. In some cases, your plugin could restrict your access using the same functionality it uses to keep hackers at bay.

For example, you could run afoul of your login limiting functionality. In cases like this, you’ll see a clear warning that access will either disappear soon, or will already have gone.

A WordPress login page showing an incorrect login and three attempts remaining to get into the wp-admin screen.

However, in other cases, your security plugin might add your IP address to your block list, or any number of similar situations. To test this out, you can disable the plugin on a temporary basis. This is where Secure File Transfer Protocol (SFTP) comes in.

This is a way to make a direct connection to your site’s server and work with its files. We’ll reference SFTP a lot throughout the rest of the article, so you’ll want to choose a dedicated client and learn how to use it. FileZilla is popular and free, as is Cyberduck.

The Cyberduck logo.

From here, you can look to disable your security plugin from the server. Our article on how to choose and install plugins also includes a section on how to disable one, so check that out and come back here if you still have no luck.

3. Ensure You Use the Right Login Page URL

There are lots of tips you can use to harden your WordPress website, and a common one is changing the URL of the login page. This lets you still log into your site, but doesn’t give bots and hackers that knowledge (unlike the default wp-login.php slug.)

However, you might forget this URL. In extreme cases, a plugin might have done this without your knowledge (although all of the security plugins we recommend won’t do this.)

In almost all cases, you’ll have made a change to your login URL, so can also reverse it. It’s likely a plugin that offers this functionality. As with disabling your security plugin, you should also disable the plugin that changes your login URL using SFTP. From there, try again using the default login page URL.

4. Check That Your Site URL Is Correct

In nearly all cases, your site’s URL will be fine and correct. However, there are some situations where the site URL won’t be right. This will mean you can’t log into your site, and you might not even be able to access the front end at all.

If you had access to the WordPress dashboard, you could check this in the Settings > General screen:

The WordPress wp-admin dashboard screen showing the WordPress Address and Site Address URLs.

However, this is also possible within your wp-config.php file. Our guide talks about how to access and edit this file using SFTP. In short, you’ll open the file and add a couple of lines to it:

define('WP_HOME','https://yoursite.com');
define('WP_SITEURL','https://yoursite.com');

You’ll want to change the placeholder domains to your own. It’s important to note that making a switch to HTTPS can often cause an error like we’re dealing with here. However, you’ll only need to carry out a quick check to ensure everything is shipshape.

5. Make Sure You Check Your File Permissions

You can’t enter a locked door without the right key, and the same goes for your WordPress website. File permissions govern which users can access files, and the extent that they can work with them. In cases where you’re locked out of wp-admin, you might have a mismatch when it comes to your site’s file permissions.

The good news is that WordPress’ files will have the same set of permissions between installations. We take a deep dive into this in our dedicated article on hardening WordPress. You’ll need to connect to your server using SFTP, then change batches of files using the built-in permissions manager:

Changing the file permissions of a WordPress file within the Cyberduck SFTP client.

This will take seconds to achieve, and will help you figure out how to get back into your WordPress dashboard.

6. Fix an Issue With Your .htaccess File

In the same way that your wp-config.php file contains WordPress-specific settings, your .htaccess file holds the same sort of data for your Apache server. Nginx users will want to skip over this method, but Apache server users can use SFTP to find the .htaccess file on the server.

While similar methods would see you edit the file, in this case, there’s a different approach:

  • First, make a copy of the file and store it on your local computer.
  • Next, delete the .htaccess file from the server.
  • Check whether you can log into your site.

If you still can’t access the WordPress dashboard, put the copy of the .htaccess file back on your server. However, if you can access your dashboard, generate a new .htaccess file on the Settings > Permalinks screen:

The WordPress Permalinks screen within wp-admin.

All you’ll need to do is save your changes here, and that will generate a new .htaccess file for you.

7. Check That Your PHP Memory Limit Is High Enough

Your site’s code is based on the PHP language, and the routines it runs needs to use memory. If your memory allocation is too low, this can cause errors to happen – including being locked out of wp-admin. Think of this like a faulty wire. You’ll have intermittent issues based on the amount of memory you have available.

The solution is to boost your PHP memory limit. Our guide discusses a couple of methods that can help you obtain or regain more memory. By now, you’ll have decent knowledge of SFTP, and you’ll use it again to open your wp-config.php file. This time, look for the following line (or add it if it’s not there:)

define( ‘WP_MEMORY_LIMIT’, ‘256M’ );

The value should be either 128 or 256. We’d recommend you change this, save the file, and check whether you can log into your site again.

8. Resolve Another Error That Causes You to Be Locked Out of wp-admin

In medicine, a ‘co-morbid’ condition is one that’s related to the main ailment you have. For instance, a migraine can cause an upset stomach. For WordPress, not being able to access your WordPress dashboard is co-morbid to one of many other errors and glitches.

Two of the most ‘popular’ errors on your site deny access to almost your whole site:

  • A 500 Internal Server error. This tells you that there’s something wrong with the server, but won;t give you much more information. It’s a pain to resolve, but we can show you how to do it.
  • The White Screen of Death (WSoD.) This is one of the most damaging errors that can leave you tearing your hair out. It will only display a white screen (hence the name,) although that shouldn’t stop you from resolving the error.

Of course, there could be other issues too, and you’ll need to troubleshoot and resolve them. However, once you rectify the main issue, this should also give you back access to wp-admin.

9. Make Sure Your Site Is Not Compromised

If you look at a number of solutions to get back into your WordPress dashboard and none work, it could be that you are dealing with a hacking attempt. This is one of the more serious issues your site can face, so it’s important to resolve it fast.

While there’s merit in running some tests, most will require you to install a plugin or work within the WordPress dashboard. As such, this option won’t be available to you.

Instead, we’d recommend you call on a dedicated WordPress maintenance company. They can help right the ship and carry out some initial triage. From there, they can help you shore up your site from future attacks. WP Buffs, Maintainn, and WP Tech Support all offer this type of service.

The WP Buffs website.

You might also want to contact your host too, as they can work on issues on the server side. Even your security plugin developer may have a service to help malicious attacks. For example, Wordfence offers a site cleaning service for premium members, as do a number of others.

10. Restore From a Clean Backup, or Reinstall WordPress

If all else fails – and save from contacting your host’s support – you may have to restore your site from a known ‘good’ version. This is where your backups come in handy. If you use the right plugin, this process should be a breeze.

The UpdraftPlus plugin.

UpdraftPlus is a perennial favorite at WPKube, and we have a guide on how to use the free version. However, there are lots of others, and the choice here comes down to the solution you like the most. Almost all of them are fantastic.

In the worst case scenario, you’ll need to install WordPress again from scratch. This can be tiresome, but it’s necessary if you can’t access your site.

There are a few ways you can reinstall WordPress, especially if you have a host with a ‘one-click’ installation process. Our dedicated guide looks at a few ways, including a manual approach that should only take a few minutes.

Wrapping Up

If you can’t access your site’s WordPress dashboard, you’ll have a tough time to fix whatever’s wrong. The good news is that there are a number of different ways you can look to regain access to your site once you are locked out of wp-admin.

This post looks at ten different approaches you can take. Some are straightforward, such as using the right login credentials. Others need a little investigation, such as whether your site URL and login page URL are right. However, you may need to pull out all the stops to fix malicious breaches or other major site errors. It could be that you even need to reinstall WordPress altogether.

Do you have any questions relating to being locked out of wp-admin? Ask away in the comments section below!

Similar Posts