Locked Out of WordPress? Here's How to Fix the Issue

Modern Optometrist Website Design Examples to Inspire

January 19, 2026

The Best Agency Website Design Examples

January 20, 2026

One wrong password attempt, one bad plugin update, and suddenly you are staring at a login error with no way back into your own site.

Knowing how to fix the locked out of WordPress error is something every site owner needs at some point. It happens to beginners and experienced developers alike.

The causes range from forgotten admin credentials and security plugin lockouts to plugin conflicts and broken database connections. Each one has a specific fix.

This guide covers every recovery method: resetting your password via phpMyAdmin, using WP-CLI, disabling plugins through FTP, editing functions.php, and more. By the end, you will have wp-admin access back and a prevention plan in place.

What Is the "Locked Out of WordPress" Error?

The locked out of WordPress state means you cannot access wp-admin or wp-login.php through the normal login process. The WordPress dashboard is inaccessible, and standard credential entry either fails silently or returns an error message.

WordPress powers 43.4% of all websites globally (W3Techs, 2024), making it the single largest CMS target for login-related failures and brute force attacks. The sheer scale of WordPress adoption means lockout scenarios affect millions of site owners every year.

There are 4 distinct causes of a WordPress admin lockout:

Forgotten or corrupted login credentials
A security or login-limit plugin blocking access after failed login attempts
A recently installed or updated plugin or theme that broke wp-admin entirely
A corrupted database, missing wp-config.php, or failed database connection

This is not the same as the WordPress white screen of death, a 500 internal server error, or WordPress stuck in maintenance mode. Those are related but separate issues with different fix paths.

Standard "forgot password" flows fail in 3 of these 4 scenarios. If the admin email address is lost, the database is corrupted, or a security plugin is blocking all access, the email reset option does nothing useful. That is when database-level recovery methods become necessary.

What Are the Most Common Causes of a WordPress Lockout?

Identifying the correct cause before picking a fix method saves significant time. Applying the wrong fix to the wrong cause is the most common mistake site owners make.

Cause	Typical Trigger	Fix Path
Lost credentials	Forgotten password, changed without saving	phpMyAdmin or WP-CLI reset
Security plugin lockout	Too many failed login attempts	FTP plugin folder rename
Plugin or theme conflict	Recent install or update broke wp-admin	FTP folder rename, debug log
Database or config error	Corrupted wp-config.php or missing DB connection	Replace wp-config.php, check DB credentials

Lockouts Caused by Security Plugins

Brute force attacks on WordPress increased by 130% in 2024, with attacks per domain rising 120% year-over-year (Limit Login Attempts Reloaded, 2025). Security plugins like Wordfence, Limit Login Attempts Reloaded, and iThemes Security respond by blocking IP addresses after a set number of failed login attempts.

The problem is that legitimate site owners trigger these lockouts too. A mistyped password on mobile, a caps lock issue, or a recently changed credential that was not saved properly can exhaust the allowed attempts and trigger a 20-minute to 24-hour block.

Signs this is your cause:

You see a message referencing "too many failed attempts" or a countdown timer
The block happened immediately after several wrong password entries
You can access the site frontend but not wp-login.php

Lockouts Caused by Plugin or Theme Conflicts

96% of WordPress vulnerabilities in 2024 originated in plugins, with 7,633 plugin flaws recorded that year, a 34% increase over 2023 (Patchstack, 2025). A conflicting or broken plugin does not always produce a vulnerability. Sometimes it just breaks wp-admin entirely on activation.

This cause is almost always triggered by a recent action: installing a new plugin, updating an existing one, or switching themes.

Confirming this is your cause: The lockout started immediately after a plugin install or update. The frontend of the site still loads. You may see a fatal error message referencing a specific PHP file path.

How to Reset a WordPress Password via phpMyAdmin

This is the most reliable fix for credential-based lockouts when the email reset option is unavailable. It requires database access through your hosting panel, not through WordPress itself.

phpMyAdmin is available through cPanel or Plesk on virtually all shared hosting plans, including SiteGround, Bluehost, and Cloudways.

Accessing the wp_users Table

Step-by-step process:

Log into cPanel or your hosting control panel and open phpMyAdmin under the Databases section
Select your WordPress database from the left sidebar (usually named after your site or with a hosting prefix)
Click on the wp_users table (the prefix may differ if you changed it during installation)
Find the admin account row and click the Edit (pencil) icon on the left
In the user_pass field, clear the existing hash, type your new password in plain text, and select MD5 from the Function dropdown
Click Go to save

WordPress stores passwords in MD5-hashed format for backward compatibility. Even though WordPress now uses stronger bcrypt hashing internally, it still accepts MD5 input at login and automatically upgrades the hash to bcrypt on first successful authentication (WPBeginner, 2024).

Also clear the user_activation_key field for the same user row. A non-empty activation key can silently block login even after a correct password reset.

When This Method Does Not Apply

phpMyAdmin access requires your hosting panel login credentials. If you lost those too, contact your hosting provider directly. WP Engine, Kinsta, and SiteGround all offer one-click admin password reset tools inside their dashboards that bypass phpMyAdmin entirely.

How to Reset a WordPress Password via WP-CLI

WP-CLI is the fastest fix available for users with SSH or command-line access to their server. One command, no GUI, no manual database navigation.

The command:

wp user update 1 --user_pass="yournewpassword"

The number 1 refers to the WordPress user ID. Most default WordPress installations assign the first admin account ID 1, but this is not guaranteed, especially on older or migrated sites.

Finding the Correct User ID

Run this first if you are unsure of the admin user ID:

wp user list --role=administrator

This returns all administrator accounts with their IDs, usernames, and email addresses. Use the correct ID in the update command.

WP-CLI availability by host:

Kinsta: available via SSH in all plans
WP Engine: available via SSH Gateway
Cloudways: available via SSH on all server tiers
SiteGround: available on GrowBig and GoGeek plans

WP-CLI is lower risk than direct database editing. It calls WordPress's own wp_update_user() function internally, which means the password gets hashed correctly using WordPress's current algorithm rather than relying on MD5 compatibility.

How to Create a New WordPress Admin Account via the Database

Use this method when the original admin account is corrupted, missing entirely, or when a security breach has removed your administrator privileges. This is a 2-table operation in phpMyAdmin.

Inserting the New User Row

In the wp\_users table, click Insert and fill in these fields:

user\_login: your new username (do not use "admin")
user\_pass: your new password with MD5 selected in the Function dropdown
user\_email: a valid email address you control
user\_registered: current date in YYYY-MM-DD HH:MM:SS format

Note the auto-generated ID value after saving. You need it for the next step.

Assigning Administrator Role in wp\_usermeta

Open the wp\_usermeta table and insert 2 rows for the new user ID:

user\_id	meta\_key	meta\_value
[your new user ID]	wp\_capabilities	a:1:{s:13:"administrator";b:1;}
[your new user ID]	wp\user\level	10

The wp_capabilities value assigns full administrator role. The wp_user_level value of 10 is the legacy WordPress user level for administrators and must be included for full dashboard access.

After logging in with the new account, navigate to Users in the WordPress dashboard and either delete the corrupted original account or restore its role manually. Do not leave 2 orphaned admin accounts active longer than necessary.

How to Disable a Security Plugin Causing the Lockout

When a lockout plugin like Wordfence, Limit Login Attempts Reloaded, or iThemes Security is blocking your access, the fix is to disable the plugin at the file system level. You do not need wp-admin access to do this.

Disabling Wordfence via FTP

Connect to your server using an FTP client like FileZilla. Navigate to /wp-content/plugins/ and rename the wordfence folder to something like wordfence_disabled.

WordPress detects the plugin folder is missing and automatically deactivates Wordfence. Your lockout block is cleared immediately. You can now log in normally.

After logging back in:

Rename the folder back to wordfence in FTP
Reactivate Wordfence from the Plugins screen in wp-admin
Go to Wordfence settings and add your IP address to the whitelist
Set a higher failed login threshold so legitimate typos do not trigger a 24-hour block

The folder path is /wp-content/plugins/limit-login-attempts-reloaded/. Rename it to limit-login-attempts-reloaded_disabled.

Alternatively, for advanced users with phpMyAdmin access: open the wp_options table, search for the limit_login_lockouts option, and delete or clear that row. This resets all active lockouts without disabling the plugin entirely, which is the cleaner solution if you want to keep the plugin active.

The same folder-rename approach works for other WordPress security plugins that enforce login restrictions. The plugin folder name must match exactly. Check /wp-content/plugins/ in FTP for the exact directory name if you are unsure.

How to Fix a WordPress Lockout Caused by a Plugin or Theme Conflict

A broken plugin or theme blocks wp-admin access differently from a security lockout. You are not denied by a login gate. The dashboard itself fails to load, often returning a white screen, a fatal PHP error, or a redirect loop.

Disabling All Plugins via FTP

In FTP or your hosting File Manager, navigate to /wp-content/ and rename the entire plugins folder to plugins_disabled.

WordPress cannot find any plugin directories and deactivates everything simultaneously. This is faster than disabling plugins one by one and immediately tells you whether a plugin is the cause. If wp-admin loads after this, a plugin is responsible.

Rename the folder back to plugins, then go to the Plugins screen in wp-admin. WordPress will show all plugins as deactivated. Reactivate them one at a time, checking wp-admin after each activation, until the conflict reappears. That last plugin activated is the problem.

Isolating a Theme Conflict

Switch to a default theme without wp-admin access:

In FTP, navigate to /wp-content/themes/
Rename your active theme folder (for example, rename mytheme to mytheme_disabled)
WordPress falls back to the most recently installed default theme, such as Twenty Twenty-Four

If wp-admin loads after this step, the active theme was causing the conflict.

Check the WordPress debug log at /wp-content/debug.log for the exact file path causing the fatal error. The log entry will reference a specific plugin or theme file, which removes the guesswork from the isolation process entirely. To enable debug logging, add define('WP_DEBUG', true); and define('WP_DEBUG_LOG', true); to your wp-config.php file.

If you want more context on related WordPress access errors, the "sorry, you are not allowed to access this page" error and the WordPress parse error are 2 common issues that follow similar plugin-level troubleshooting paths.

How to Fix a WordPress Lockout via the functions.php File

This method creates a temporary admin account by adding a code snippet directly to your active theme's functions.php file. It works when you have FTP or File Manager access but no phpMyAdmin access.

The file is located at /wp-content/themes/[your-active-theme]/functions.php. Connect via FileZilla or your hosting File Manager, download the file, and open it in a plain text editor.

The Code to Add

Paste this block at the very bottom of functions.php, below all existing code:

function create_temp_admin() {
$user = 'temprecovery';
$pass = 'StrongPass2025!';
$email = '[email protected]';
if ( !username_exists($user) && !email_exists($email) ) {
$user_id = wp_create_user($user, $pass, $email);
$user_obj = new WP_User($user_id);
$user_obj->set_role('administrator');
}
}
add_action('init', 'create_temp_admin');

Save the file and upload it back to the server. Visit any page on your site to trigger the init hook. Then log in at wp-login.php using the credentials you set.

Go back to functions.php via FTP immediately after gaining access and delete the entire code block. Leaving it in place re-creates the account on every page load, which is a security risk and creates orphaned admin accounts over time.

Deleting the snippet does not remove the user account. The account persists until you delete it manually from the Users screen in wp-admin. Remove it or convert it to a subscriber role once the recovery is complete.

If you want to avoid direct file editing entirely, the WordPress updating failed error and functions.php conflicts often share the same FTP-based fix path, so the file access skills covered here apply across multiple recovery scenarios.

How to Fix a WordPress Lockout When wp-config.php Is Missing or Corrupted

A missing or broken wp-config.php produces one specific and unmistakable symptom: "Error establishing a database connection" appears on every page of the site, front end and back end both.

Incorrect database credentials in wp-config.php are the most common cause of this error (Kinsta, 2024). The fix is to replace or repair the file with correct database values sourced from your hosting panel.

Recreating wp-config.php from Scratch

What you need before starting:

Database name (found in cPanel under MySQL Databases)
Database username and password
Database host (usually localhost, but some hosts use a different value)
Table prefix (default is wp_, but may differ on your installation)

Download a fresh wp-config-sample.php from WordPress.org. Rename it to wp-config.php. Fill in the 4 database constant values with your credentials from cPanel, then upload the file to your site's root directory, overwriting the broken version.

When the Error Persists After Replacing the File

If the database connection error continues after the file replacement, the issue is at the database level, not the config file. Open phpMyAdmin, select your WordPress database, and run the built-in repair tool via the SQL tab.

Add this line temporarily to wp-config.php just before the "stop editing" comment:

define('WP_ALLOW_REPAIR', true);

Then visit yoursite.com/wp-admin/maint/repair.php to run the repair. Remove this line immediately after the repair completes. The repair page is publicly accessible without login, which is a direct security exposure.

For related database access issues, the could not save password reset key to database error follows a similar diagnostic path and is worth checking if the lockout persists after wp-config.php is restored.

How to Contact Your Hosting Provider to Regain Access

Use this as a last resort when you have no FTP access, no phpMyAdmin access, and no SSH access. Some hosting plans, particularly shared entry-level accounts, restrict direct server access entirely.

Host	Recovery Tool Available	Support Channel
WP Engine	Password reset in MyWPEngine dashboard	24/7 live chat
Kinsta	phpMyAdmin via MyKinsta panel	24/7 live chat
SiteGround	WordPress Toolkit one-click admin reset	24/7 phone and chat
Bluehost	File Manager + phpMyAdmin in cPanel	24/7 phone and chat

What to Request and What to Have Ready

Hosts like Kinsta and WP Engine often resolve access issues within minutes when contacted directly (Codeable, 2024).

Have this information ready before contacting support:

Your domain name and hosting account email
Account verification details (last 4 digits of payment method, or account PIN)
The exact error message or symptom you are seeing
A description of what changed before the lockout started

Ask specifically for one of 3 things: phpMyAdmin access to reset the admin password, FTP credential reset if your current credentials are not working, or a direct admin password reset via their server-side tools.

When to Escalate Beyond Standard Support

Standard hosting support handles credential resets and file access. They do not rebuild corrupted databases, remove malware, or debug fatal PHP errors in your theme or plugin code.

If the lockout involves database corruption, a malware infection, or broken core files, escalate to a WordPress-specific support service or hire a developer directly. Waiting on a tier-1 support queue for a problem outside their scope wastes time during an active outage.

How to Prevent Future WordPress Lockouts

Most WordPress lockouts are preventable. The fix methods above recover access after the fact. These steps stop the problem before it starts.

70% of WordPress admin accounts that use 2FA report the measure as their most-used security layer (Melapress, 2024). Separately, 87% of WordPress site owners who have backups have never tested restoring them (Databarracks, 2024), which means their recovery safety net may fail exactly when needed.

Credential and Access Management

Store all admin credentials in a dedicated password manager. Bitwarden and 1Password both support secure notes where you can store recovery details alongside the password itself.

Keep a second admin account on every WordPress installation. Use a different email address from the primary account. This costs nothing and eliminates a full category of lockout scenarios instantly.

Never use "admin" as a username. It is the first credential brute force bots attempt on every WordPress site.

Security Plugin Configuration

Security plugins cause a large share of self-inflicted lockouts. Configure them correctly before they lock you out, not after.

Before activating any login-limiting plugin:

Add your IP address to the plugin's whitelist
Set the failed login threshold to at least 5 attempts (not the default 3)
Set lockout duration to 20 minutes for first offense, not 24 hours
Enable email notification on lockout so you know when it triggers

For reference on comparing security plugin options before installing one, the Sucuri vs Wordfence comparison covers the key behavioral differences between the 2 most widely used WordPress security plugins.

Backup and Recovery Infrastructure

A reliable backup changes a lockout from a crisis into a minor inconvenience. Without one, a database corruption event can mean hours of manual recovery work.

Minimum backup setup for any WordPress site:

Daily automated backups stored off-site (not only on the same server)
Retention of at least 30 days of backup history
A tested restore process, run at least once after initial setup

UpdraftPlus and BlogVault are the 2 most reliable backup solutions for WordPress with off-site storage and tested restoration workflows. For more on maintaining a full WordPress recovery process, the guide on how to back up a WordPress site covers both plugin-based and manual methods in full detail.

Finally, set a recovery email address that is separate from your site's primary business email. If your business email is compromised alongside your WordPress credentials, you need a fallback that is not part of the same attack surface. Related WordPress admin access issues worth reviewing include the can't login to WordPress error and WordPress session expired, both of which often surface alongside the lockout scenarios covered in this guide.

FAQ on How To Fix The Locked Out Of WordPress Error

What causes the locked out of WordPress error?

The 4 most common causes are forgotten admin credentials, a security plugin blocking access after failed login attempts, a plugin or theme conflict breaking wp-admin, and a corrupted wp-config.php or failed database connection.

How do I reset my WordPress password without email access?

Open phpMyAdmin through your hosting control panel, navigate to the wp\users table, find your admin account, and update the user\pass field with a new password using MD5 selected from the Function dropdown. Log in immediately after.

Can I fix a WordPress lockout without FTP?

Yes. Use phpMyAdmin to reset your password or create a new admin account. Your hosting panel's File Manager is another option. Hosts like WP Engine and SiteGround also offer direct admin reset tools inside their dashboards.

How do I disable a plugin that locked me out of WordPress?

Connect via FTP using FileZilla and navigate to /wp-content/plugins/. Rename the problem plugin's folder, for example from wordfence to wordfence_disabled. WordPress deactivates the plugin automatically. Log in, then re-enable and reconfigure it.

What is the fastest way to recover WordPress admin access?

WP-CLI is the fastest method if you have SSH access. Run wp user update 1 --user_pass="newpassword" from the command line. It resets the password in seconds using WordPress's own functions, with no database navigation required.

A recently updated plugin likely introduced a PHP conflict that breaks wp-admin. Via FTP, rename the entire /wp-content/plugins/ folder to deactivate all plugins at once. If the login page loads after that, reactivate plugins one by one to find the conflict.

How do I create a new WordPress admin account without dashboard access?

Insert a new row into the wp\users table via phpMyAdmin with your credentials. Then add 2 rows to wp\usermeta: set wp\capabilities to a:1:{s:13:"administrator";b:1;} and wp\user\_level to 10. Log in with the new account.

Can a corrupted wp-config.php lock me out of WordPress?

Yes. A missing or broken wp-config.php triggers an "Error establishing a database connection" on every page. Download a fresh wp-config-sample.php from WordPress.org, rename it, enter your database credentials from cPanel, and upload it to your site root.

How do I prevent getting locked out of WordPress again?

Keep a second admin account active at all times using a separate email address. Store credentials in a password manager like Bitwarden. Whitelist your IP in security plugins before activating lockout features. Run daily off-site backups using UpdraftPlus or BlogVault.

Should I contact my hosting provider if I am locked out of WordPress?

Yes, as a last resort when FTP and phpMyAdmin access are both unavailable. Hosts like Kinsta, WP Engine, and SiteGround offer password reset tools or direct database access through their support teams, often resolving access issues within minutes.

Conclusion

This conclusion is for an article on how to fix the locked out of WordPress error, and the core takeaway is simple: every scenario has a fix.

Whether the cause is a failed database connection, a security plugin blocking your IP, or a theme conflict crashing wp-admin, the recovery path exists.

Reset the user\_pass field via phpMyAdmin. Rename the plugins folder through FTP. Use WP-CLI if SSH is available. Each method targets a specific cause.

Regaining access is only half the job. Set up a second admin account, whitelist your IP in Wordfence or iThemes Security, and schedule automated off-site backups with UpdraftPlus.

A lockout handled once should never happen twice.

Albert Ślusarczyk

As the co-creator of Be Theme, I am a strong believer in designing with care and patience. I pour my energy, time & knowledge into perfecting the theme for our 260,000+ customers.