iThemes Security Lockout Fix

Updated March 11, 2026 • Expert Guide • Prime AI Tech Solutions

Looking for the best solutions? Compare top options and get expert advice tailored to your needs.

Explore Top Recommendations ›

The Definitive Guide to Fixing iThemes Security Lockouts

iThemes Security (formerly Better WP Security) is a powerful and popular WordPress security plugin designed to protect your website from a myriad of threats, including brute-force attacks, vulnerability exploits, and unwanted bots. While its robust features are invaluable for site protection, they can occasionally lead to an unintended consequence: locking out legitimate users, including yourself, the site administrator. This can be a frustrating and panic-inducing experience, especially if you rely on your website for business or communication.

This comprehensive guide is engineered for administrators, developers, and even advanced users who find themselves in the unenviable position of being locked out by iThemes Security. We will delve deep into the mechanics of these lockouts, provide multiple expert-level solutions, offer preventative strategies, and address common pitfalls. Our goal is to equip you with the knowledge and actionable steps to regain control of your WordPress site swiftly and securely.

iThemes Security lockout troubleshooting flowchart on a digital interface

Step-by-Step Guide: How to Fix an iThemes Security Lockout

Before attempting any of these steps, it is always recommended to have a recent backup of your website. While these methods are designed to be safe, mistakes can happen, and a backup provides a critical safety net.

Prerequisites for Most Fixes:

  • Hosting Control Panel Access: (e.g., cPanel, Plesk, DirectAdmin) to manage files (File Manager) and databases (phpMyAdmin).
  • FTP Client: (e.g., FileZilla) for direct file access if File Manager is unavailable or preferred.
  • Basic Understanding of WordPress File Structure: Knowing where wp-content, plugins, and .htaccess are located.

Method 1: Whitelisting Your IP (If Partial Access is Available)

This method is only viable if you haven't been completely locked out of your WordPress admin area, or if the lockout is temporary and you've regained access. It's a proactive measure or a quick fix if the lockout is still pending.

  1. Find Your Current IP Address: Go to a site like What Is My IP Address to find your public IP.
  2. Access iThemes Security Settings: Navigate to Security > Settings > Global Settings in your WordPress admin.
  3. Add to Authorized Hosts: Locate the "Authorized Hosts" section. Add your current IP address to the list. This tells iThemes Security to always trust connections from this IP.
  4. Save Settings: Ensure you save your changes to prevent future lockouts from your own IP.

Method 2: Disabling iThemes Security Plugin via FTP/File Manager (Most Common Fix)

This is often the quickest and safest way to regain access when completely locked out.

  1. Connect to Your Website: Use an FTP client (like FileZilla) or your hosting control panel's File Manager.
  2. Navigate to the Plugins Directory: Go to /wp-content/plugins/.
  3. Rename the iThemes Security Folder:
    • For iThemes Security Free: Rename better-wp-security to something like better-wp-security-DISABLED.
    • For iThemes Security Pro: Rename ithemes-security-pro to something like ithemes-security-pro-DISABLED.

    Renaming the folder effectively deactivates the plugin, as WordPress can no longer find its files.

  4. Access WordPress Admin: Log in to your WordPress dashboard. You should now be able to access it. You'll see a notification that the plugin has been deactivated due to an error (because its folder was renamed).
  5. Reactivate and Reconfigure:
    • Go back to your FTP/File Manager and rename the plugin folder back to its original name (e.g., better-wp-security).
    • In your WordPress admin, go to Plugins and reactivate iThemes Security.
    • Immediately navigate to Security > Settings > Global Settings and add your IP address to the "Authorized Hosts" list. Review other lockout settings to prevent recurrence.

Method 3: Deactivating Plugin via Database (phpMyAdmin)

This method is useful if Method 2 fails or if you prefer direct database manipulation. It requires more caution.

  1. Access phpMyAdmin: Log into your hosting control panel and find phpMyAdmin.
  2. Select Your WordPress Database: From the left sidebar, select the database associated with your WordPress installation.
  3. Locate the wp_options Table: (or yourprefix_options, where yourprefix is your database prefix).
  4. Find the active_plugins Option:
    • Browse the table or use the search function to find the option_name called active_plugins.
    • Click "Edit" on this row.
    • The option_value field contains a serialized array of all active plugins. You need to carefully remove the entry for iThemes Security.
    • Caution: Editing serialized data incorrectly can break your site. If unsure, consider the next step instead.
  5. Alternative Database Deactivation (Safer for iThemes):
    • Search for option_name itsec_active. If it exists, change its option_value from 1 to 0. This effectively tells iThemes Security to deactivate itself.
    • Also, look for itsec_temp_lock_out or similar transient options that might be storing lockout data and delete them.
  6. Access WordPress Admin: You should now be able to log in. Reactivate and reconfigure iThemes Security as in Method 2.

Method 4: Removing Specific Lockout Entries from Database (phpMyAdmin)

This targets the lockout record itself, allowing the plugin to remain active but releasing the specific lockout. Use this if you want to keep the plugin active but bypass a specific lockout.

  1. Access phpMyAdmin: Log into your hosting control panel and find phpMyAdmin.
  2. Select Your WordPress Database.
  3. Locate the wp_itsec_lockouts Table: (or yourprefix_itsec_lockouts).
  4. Clear or Delete Entries: Browse this table. You'll see records of active lockouts, often including IP addresses, timestamps, and lockout types. Select and delete the entries relevant to your lockout (or clear the entire table if you're unsure and want a clean slate).
  5. Check wp_options for Transient Lockouts: In the wp_options table, search for entries with option_name like _itsec_lockout_host_ip_YOUR_IP or _transient_itsec_lockout_host_YOUR_IP and delete them.
  6. Access WordPress Admin: You should now be able to log in.

Method 5: Editing .htaccess File (Advanced)

iThemes Security often writes rules directly into your .htaccess file for various protections (e.g., file permissions, directory browsing, brute force). If a lockout is persistent, especially after deactivating the plugin, the .htaccess rules might still be blocking you.

  1. Connect to Your Website: Use FTP or File Manager.
  2. Locate the .htaccess File: This file is usually in the root directory of your WordPress installation. It might be hidden, so ensure your FTP client or File Manager is set to show hidden files.
  3. Backup .htaccess: Download a copy of your current .htaccess file to your computer. This is CRITICAL.
  4. Edit .htaccess: Open the .htaccess file for editing.
  5. Identify and Remove iThemes Security Rules: Look for blocks of code typically enclosed by comments like: 
    # BEGIN iThemes Security
# Various iThemes Security rules...
# END iThemes Security

    Carefully delete these entire blocks. There might be multiple such blocks for different modules.

  6. Save and Upload: Save the modified .htaccess file and upload it back to your server, overwriting the old one.
  7. Test Access: Attempt to log in to your WordPress admin.
  8. Reconfigure iThemes Security: Once access is restored, reactivate iThemes Security (if you had deactivated it) and let it rewrite its rules. Review your settings to prevent future issues.

Preventing Future Lockouts

Prevention is always better than cure. Implement these practices to minimize your chances of an iThemes Security lockout:

  • Whitelist Your IP: Proactively add your static IP address (or a range if it's dynamic but within a known range) to iThemes Security's "Authorized Hosts" list.
  • Use Strong Passwords and 2FA: This reduces the likelihood of brute-force attacks triggering lockouts.
  • Adjust Lockout Thresholds: In iThemes Security settings, review and adjust the "Lockout Threshold" and "Minutes to Remember Bad Login" settings under Security > Settings > Brute Force. Be reasonable – too strict, and you might lock yourself out; too lenient, and you compromise security.
  • Utilize Security Logs: Regularly check your iThemes Security logs (Security > Logs) to understand why lockouts are occurring. This can reveal patterns or specific threats.
  • Keep Everything Updated: Ensure WordPress core, themes, and all plugins (especially iThemes Security) are always updated to their latest versions.
  • Regular Backups: Maintain a consistent backup schedule. This is your ultimate safety net.
  • Unique Login URLs: Consider changing your default WordPress login URL (wp-admin or wp-login.php) using iThemes Security's "Hide Backend" feature. This makes it harder for bots to find your login page.