How to Fix Solid Security Lockouts in WordPress

Written by: Abigail Ivy
Published on:

Solid Security lockouts can block legitimate users, administrators, or even your own IP address from accessing WordPress.

This guide explains the most common causes and shows how to fix them without disabling the protection that keeps your site safe.

What Solid Security lockouts are

Solid Security, formerly iThemes Security, uses login protection, file change detection, and brute-force defenses to stop suspicious activity.

A lockout usually means the plugin has flagged a user, IP address, username, or host as risky based on repeated failed logins, pattern-based rules, or temporary security limits.

In many cases, a lockout is intentional and temporary.

The problem starts when a legitimate user is blocked because of a misconfigured setting, a shared IP address, a VPN, a caching issue, or an aggressive rate-limit rule.

Why lockouts happen

Understanding the trigger makes the fix much faster.

Solid Security lockouts often come from one of these causes:

  • Too many failed login attempts from the same IP address
  • Brute-force protection set too aggressively
  • Username or password reset requests triggering login limits
  • VPNs, proxies, or shared networks causing false positives
  • Admin actions that trip security rules after a site migration
  • Malformed .htaccess or server-level rules interfering with access
  • Security features conflict with another plugin, firewall, or host-based protection

If the lockout affects only one account, the issue is often credential-related.

If multiple users are blocked, the cause is more likely to be an IP rule, network rule, or global login policy.

How to fix Solid Security lockouts from the dashboard

If you can still access WordPress through another administrator account, the easiest fix is in the Solid Security settings.

Go to the plugin’s security and lockout controls and review the active restrictions.

Check the lockout logs

Start with the lockout or activity logs to identify whether the plugin blocked an IP, a username, or a user agent.

The log entry usually shows the reason, the time of the event, and the duration of the lockout.

That information helps you decide whether to wait it out or adjust the rules.

Release the blocked IP or user

If the plugin provides a way to remove a specific lockout, clear only the affected IP address or username.

Avoid disabling the entire protection system unless you are troubleshooting and have a plan to restore it.

Reduce overly strict login limits

Review the settings for failed login thresholds, lockout duration, and repeated offense rules.

A small site with trusted users usually does not need the same restrictions as a high-risk public login area.

Increasing the allowed attempts slightly or shortening the lockout duration can prevent repeat false positives.

How to fix Solid Security lockouts when you cannot log in

If you are locked out of wp-admin, you need a recovery path that does not rely on the dashboard.

The safest method depends on your hosting access and whether you can use FTP, SFTP, or a file manager.

Use FTP or hosting file manager to disable the plugin

Rename the Solid Security plugin folder temporarily so WordPress cannot load it.

For example, change the plugin directory name through FTP or your host’s file manager.

After renaming the folder, try logging in again.

Once you regain access, restore the folder name and adjust the settings that caused the lockout.

Check whether your IP is blocked at the server level

Some hosts or security layers add their own blocks on top of WordPress security plugins.

If login attempts still fail after disabling the plugin, ask your host whether your IP address has been blocked by a web application firewall, ModSecurity rule, or host-level security policy.

Clear browser and caching issues

Cached login pages, stale cookies, and browser extensions can make a resolved lockout appear unresolved.

Test the login in a private browser window, clear site cookies, and try a different browser or device before assuming the problem is still active.

How to review the most important settings

After restoring access, examine the settings that most often lead to lockouts.

These are the controls that usually need fine-tuning on production sites.

  • Login attempts: Set reasonable limits for failed logins before a lockout begins.
  • Lockout duration: Shorten the time if legitimate users are frequently blocked.
  • Whitelist: Add trusted administrator IP addresses only if they are stable.
  • Trusted devices: Use cautiously if staff members log in from different networks.
  • Two-factor authentication: Enable it to reduce repeated failed logins from weak passwords.
  • Ban lists: Audit any custom block rules for accidental matches.

Be careful with whitelisting.

An IP address that changes often, such as a home connection or mobile carrier network, can create a false sense of security or cause future access issues when it changes.

When lockouts are caused by a security conflict

Some lockouts are not caused by failed logins at all.

They result from conflicts between Solid Security and other plugins or infrastructure components.

Common conflict sources

  • WordPress caching plugins that cache login or admin pages
  • Cloudflare or another CDN applying bot protection
  • Another security plugin enforcing similar brute-force rules
  • Server-side WAF rules matching the same request patterns
  • Custom login URLs or membership plugins altering authentication flows

If you suspect a conflict, disable one security layer at a time and test carefully.

The goal is not to remove protection, but to avoid overlapping controls that create repeated blocks for real users.

How to prevent future lockouts

The best fix is a stable configuration that protects the site without interrupting normal use.

A few practical habits reduce false lockouts significantly.

  • Use strong passwords and a password manager for every admin account
  • Require two-factor authentication for administrators and editors
  • Limit the number of users with administrative privileges
  • Monitor login logs weekly for unusual patterns
  • Keep WordPress, Solid Security, themes, and plugins updated
  • Test major security changes on a staging site first

For teams, document which IP addresses, accounts, and recovery methods are approved.

That makes it easier to troubleshoot when someone gets blocked after a travel day, office move, or VPN change.

When to contact your host or a developer

If lockouts happen repeatedly even after adjusting the settings, the issue may be deeper than the plugin.

Contact your hosting provider if you see server-level blocks, suspicious firewall activity, or login failures that persist after disabling Solid Security.

Reach out to a WordPress developer if custom code, membership logic, or a custom login flow is involved.

Use logs from Solid Security, your hosting panel, and any CDN or firewall service to pinpoint the source.

The more precisely you identify the rule that triggered the block, the less likely you are to weaken your site’s overall security while solving the problem.

Quick checklist for fixing Solid Security lockouts

  • Review the lockout log and identify the blocked IP, user, or rule
  • Release the affected account or address if the plugin allows it
  • Temporarily disable the plugin through FTP if you cannot log in
  • Check host-level firewall, WAF, CDN, and cache layers
  • Lower aggressive login restrictions if legitimate users are being blocked
  • Test the login from another browser, network, or device
  • Re-enable only the protections you actually need

By treating lockouts as a configuration problem rather than a plugin failure, you can restore access quickly and keep Solid Security doing its job.