What this problem is
After too many failed logins, your IP may be blocked by a security plugin, a web application firewall (WAF), or the hosting firewall.
Why it happens
- Security plugin limit login attempts feature
- WAF rule triggered by repeated login requests
- Hosting firewall (Imunify360, ConfigServer, etc.) auto-block
Prerequisites
- Access to hosting panel (or support) to view firewall/WAF blocks
- Optional: FTP/File Manager access to disable a plugin if needed
Diagnosis
- Check if the login page shows a message like blocked/too many attempts.
- Check server logs or WAF events in the hosting panel.
- Try from a different network (mobile data). If it works there, it is likely an IP block.
Detailed steps
Step 1) Identify what is blocking you
- If you use Wordfence, iThemes Security, Limit Login Attempts, etc., start there.
- If you have Cloudflare, check Security > Events and WAF.
- If your host provides Imunify360/Firewall, check blocked IP list.
Step 2) Whitelist your IP or remove the block
In the relevant tool, remove the blocked IP entry or add it to the allowlist. If you do not have access, contact hosting support and provide your current public IP.
Step 3) If you cannot access wp-admin, disable the security plugin
Rename the plugin folder inside wp-content/plugins (example: wordfence to wordfence.disabled).
Expected result: you can access the login again.
Expected results
- Your IP is unblocked and you can log in normally
- Security rules remain active with a safer configuration
What to do if it fails
- If you are behind a VPN, disable it and try again (IP changes can trigger blocks)
- Check that the allowlist supports IPv6 if your ISP uses it
- Ask the host to confirm the exact block source (WAF vs firewall vs plugin)
Best practices
- Enable 2FA for admin accounts instead of only tightening attempt limits
- Set reasonable lockout thresholds and lockout duration
- Keep admin usernames non-trivial and use strong passwords