Can't Access Your Own Site? Read This Guide
If you ever get blocked/locked out of your own site as a result of Shield, for whatever reason, you can always forcefully turn off all restrictions made by it. This will keep plugin active allowing you to get back in and change settings (debug the problem).
Please note that, if you remove a "forceoff" file before changing plugin settings (debug the problem), the problem will return. Removing this file is always the last action (step) to take.
If you are a site owner/admin, feel free to use this guide to search for the type of the block or block message and follow the recommended steps. You can also find some useful info/suggestions, bonus tips and important points to note.
Important: If you get blocked/locked out and you have your own Custom Security Rules set, please forceoff and disable your rules. Then, test to see if the problem is solved. If yes, change rules to prevent the problem. If not solved, use this Guide.
Unblocking & Debugging Guide For Site Owners/Admins
BLOCK TYPE |
BLOCK MESSAGE |
RECOMMENDED ACTIONS (STEPS) |
ADDITIONAL INFO / SUGGESTIONS |
| Blocked/blacklisted by Shield entirely. | Access Restricted Access from your IP address has been temporarily restricted. |
Follow this guide here. |
This is the general block message. It means that the
offense limit has been reached and the IP is blocked entirely.
This could be the combination of offenses, i.e. failed login, firewall, etc. Best is to see what your activity log says first and change settings based on it.
Activity Log Viewer and
Glossary are your best allies. Also use this guide for solutions.
If you want to change any of the IP block settings,
you can do so here. Or, to decrease auto-block expiration,
please see here.
|
| Not getting 2FA login code, can't login at all. | You use 2FA-by email but not getting email with 2FA login code. |
|
Shield uses WordPress' normal email sending system. If email isn't arriving, that means that it's getting blocked somewhere. You can check your activity log and see that email is attempted probably sent. The problem with using WordPress and your server to send emails is that it's unpredictable and unreliable. It might work today, and not tomorrow, or not work at all. WordPress sites and servers just aren't meant to send emails. We discuss this further here. You'll need to assess your email deliverability on your WordPress site by using a dedicated and properly configured email system such as Postmark. If you're a ShieldPRO member, you can also use our SureSend for admins - a dedicated email delivery service to send the 2FA code. |
| 2FA code accepted but reverted back to the OTP screen. | You supply the 2FA login code but instead of being logged in, you're sent back to the OTP screen - prompted to supply the code again. |
In this case,
forceoff likely won't work. It's probably page cache.
|
Page caching simply returns data/pages from “memory”, regardless of what plugins you have installed, or removed. So if your caching plugin (or system or even browser) caches a Shield block or OTP page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin. We explain this further in our blog post here. |
| 2FA Google Authentication, can't login at all (OTP screen). | You've lost your phone, or replaced or reset and cannot supply your GA code. | Reset Google Authenticator for your user account by following this guide here. | We recommend using Authy App for Google Authenticator backups. |
| 2FA (OTP) timeout expired, can't login. | For example, you receive 2FA login code but can't use it because the OTP timeout has expired. | Use filter to extend this timeout by following the guide outlined here. | Shield's 2FA timeout defaults to 5 minutes. This means that a user must supply their 2FA code(s) within this time or they'll need to start again (re-login). Some email providers can be a bit slow at times with their email delivery, and 5 minutes isn't long enough. To provide a bit more time, you can use a filter to extend the timeout to as many minutes as you need. |
| Firewall block warning, offense triggered, not blocked entirely. Still have access to your site admin. | Request Blocked Firewall terminated the request because it triggered a firewall rule. |
Follow this guide here. | If you're a ShieldPRO member, we highly recommend having auto-unblock link sent by email option turned on. In this way, when you're still logged in but blocked entirely, you can unblock yourself instantly. Regarding firewall, there is an option " Ignore Administrators". Not recommended but you can use it if you want. |
| Keep getting logged out. | You login, but then keep getting logged out repeatedly. | This could be User Session Lock options but to be sure, better to follow this guide here. | Apart from the recommended steps, please check your IP source detection settings with Shield. Also, disable page cache. |
| Security Admin warning, offense triggered, not blocked entirely. | Failed authentication using Security Admin PIN. | Follow this guide here. | We highly recommend having ' Allow Email Override' option turned on. In this way, you can disable Security Admin and unblock yourself instantly. If you're a ShieldPRO member, you may use Persistent Security Admins option. |
| You load your ' wp-login.php' page but getting 404 error - can't login at all. | Not Found The requested URL /wp-loginphp was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache Server at Port 443 |
|
If you've renamed WordPress login page (wp-login.php), the only way to access it is through the new URL you have created. Otherwise, you'll get 404 error. After you hide WordPress login page, this is what can happen and what behaviour you can expect. If you try to access your custom login URL you should not be getting 404 error. But if you do, this is likely page caching. Often caching can cause problems if it's misconfigured or the cache is stale. If you're going to use Caching - if anything ever stops working disable and clear your caches and then check functionality. If it's working again, try re-enabling your cache. |
Warning: Bot Check Failed. Can't login at all. |
User failed Bot check. | Follow this guide here. | This blocking message is related to the AntiBot System Engine (ADE). |
| Forceoff doesn't work, still can't login. | Forceoff is in place but you still can't login as the result of Shield. |
|
If forceoff doesn't take any effect, it's likely caching. Page caching causes a lot of trouble for many things. If you get weird inconsistent behaviour like a plugin running on a site while the code isn’t even there, then it's caching. Page caching simply returns data/pages from “memory”, regardless of what plugins you have installed, or removed. So if your caching plugin (or system or even browser) caches a Shield block page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin. We explain this further in our blog post here. |
| AntiBot System warning message, not blocked, still have access to your site admin. | Important: Shield couldn't determine whether the NotBot JS was loading correctly on your site. | Follow this guide here. | This is a warning that the AntiBot detection Engine (ADE) doesn't work on your site. |
| Site locked. Can't access it at all. | Site is Under Lockdown Access to this site has been temporarily restricted. |
|
To prevent this, please ensure that your IP is whitelisted during lockdown. |
Bonus Tips
#1 Unblock your IP instantly
Instead of forceoff, you can unblock (remove your IP from the block list) instantly by using the 'unblock' file flag.
But, if you keep getting blocked, best is to go for a forceoff method and then use this guide for further actions and solutions.
#2 Recover your login with 2FA backup codes
If you lose access to your device or your email, you will need a backup code to regain access to your WordPress site.
Use Shield's Allow Backup Code feature to generate a backup code that can be used to login if Multi-Factor Authentication factors are unavailable.
#3 Activity Log Viewer and Activity Log Glossary
Activity Log is your note-taker. You can use it to see what exactly has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.
Activity Log Glossary will help you to interpret logs and tell you what plugin settings you should check and what actions to take.
Using both always is highly recommended.
#4 Page cache
Page cache is something you should clear/disable first when something ever stops working. Disable and clear your caches first and then check functionality.
Page cache (plugin, browser, system) can be very problematic for the dynamic sites.
For example, if your caching plugin caches a Shield block or OTP page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin.
We recommend these 5 golden rules to implement for your site optimisation.
#5 Plugin reset
If you decide to reset plugin to the default settings, please follow this guide here.
Please note that, when you reset, you'll loose the all previously saved settings.
#6 Disable plugin temporarily
If you can't access your site but need to temporarily disable plugin, you can do that via your FTP for that site.
Just browse the plugin folder: ..../wp-content/plugins/wp-simple-firewall/, and rename it to anything you want, i.e. 'dis-wp-simple-firewall'. The plugin will be automatically switched off.
When you disable plugin, you will not loose your previously saved settings.
#7 Helpdesk solution articles
Most of the issues are covered in our Help Center. Feel free to use it to search for the solution to the problem you have.
There are also Info and Blog links for the all plugin options and a Help Widget and search box with instant access to the solution articles:
Important Points To Note
#1 Ensure that it's really Shield causing the problem
Sometimes it may look like the problem is caused by Shield but it isn't. If you're unsure if Shield or not, best is to disable it temporarily and test.
As mentioned above, you can do this via your FTP by renaming the plugin folder ' wp-simple-firewall/' to anything you want.
If the problem remains after disabling Shield, then it's not Shield - something else causing it on your site. We can't help in those scenarios but you can always try disabling all your other plugins and then re-enable 1 by 1 and test to find the culprit. You can do the same with your themes (disable all and switch to the WP default theme). Once you find the culprit, reach out the their support and let them know what you've found. Also, talk to your host - maybe they can help too.
#2 Plugin conflict
Shield Security plugin is split up into several distinct and independently running modules. Each module does something different and with the huge array of WordPress plugins out there, you may find a conflict between what's running on your site, and our security plugin.
This doesn't mean anything is broken, the problem is just the sharing of data between plugins and how each plugin handles things differently. Sometimes we can work around plugins, sometimes they can improve their code to work better with the plugin... it just depends.
Detecting the conflict is very important step to take because the problem can be resolved easily. Please see here how to debug and help developers.
How To Get Support
If you don't find this guide helpful and you cannot find the solution to the problem by using our Help Center, this is how to reach out to us directly.
ShieldPRO customers can log into their Pro account and use this support page here: