Fix “You Have Been Locked Out” from iThemes Pro

If you have iThemes Pro like I do, you may come across an unfortunate situation where the entire site locks up for all users everywhere. All communications seem to stop, nobody can get in from any IP anywhere. Not to the backend, not to the frontend, nowhere!

You can try using a VPN, try from different networks, your phone, have your friends get on, and everyone is locked out. If you have remote control software like MainWP or ManageWP, they have broken connections too, because all traffic is blocked!

If you check a service like or then they will report it’s down.

No fear, you jump on Google and search for a way to unlock IP addresses. If you’re lucky, you have access to the database and you go hunting for the table “itsec_lockouts” (prefixed by your DB prefix). There might be a few entries here, but the problem is, it’s not one IP that’s locked out, it’s the whole world! So you go ahead and delete all the lockouts anyway.

Here you see I have no lockout records at all, yet nobody can reach the site.

My IP is whitelisted in iThemes, of course! But that doesn’t mean anything in this situation.

I clear all the caches at the host, just in case a block is just stuck as a cached page, nope!

I have the magic links and reCAPTCHA and all that enabled, but I’m not offered the option, just a “you have been locked out” and no hope of release.

There is only one way I’ve found to release the blasted message, and that is to disable the iThemes plugin entirely. The easiest way I know to get to this is over FTP or through your host control panel if they have a file browser. Go into wp-content/plugins and rename the folder “ithemes-security-pro” to “.ithemes-security-pro” by adding a period at the beginning. This “hides” the folder and thus removes the plugin. Then WordPress will work fine.

After disabling it and getting back in the system, I cleaned up more of the DB records just for the heck of it. Then I reinstalled iThemes Pro fresh, it didn’t break after activating it. I went through the settings and made sure it was all good. I made the lockouts a little less aggressive. I made sure not only my own IP was in the whitelist, but this time I added the IP to my MainWP server, and the host itself (SiteGround) just because.

Hopefully this doesn’t happen to you, but now you know what I did. And I still can’t figure out what part of iThemes would possess it to block ALL traffic when it’s only supposed to have blocks on specific IPs or specific usernames, not all traffic from everywhere. This is the second time it’s happened to me, and I would consider it a bug.

Hope that helps!