Can't Access Your Own Site? Read This Guide
If you ever get blocked/locked out of your own site as a result of Shield, for whatever reason, you can always forcefully turn off all restrictions made by it. This will keep plugin active allowing you to get back in and change settings (debug the problem).
Please note that, if you remove a "forceoff" file before changing plugin settings (debug the problem), the problem will return. Removing this file is always the last action (step) to take.
If you are a site owner/admin, feel free to use this guide to search for the type of the block or block message and follow the recommended steps. You can also find some useful info/suggestions, bonus tips and important points to note.
Unblocking & Debugging Guide For Site Owners/Admins
| Block Type | Message |
Recommended Action (steps) |
Useful Info and Suggestions |
|---|---|---|---|
| Blocked/blacklisted by Shield entirely.
|
You've been blocked by the ShieldPRO plugin. Time remaining on the black list: X minutes You tripped the security plugins defenses a total of X times making you a suspect. |
These steps are best explained here. |
This is the general block message. It means that the
offense limit has been reached and the IP is blocked entirely.
This could be the combination of offenses, i.e. failed login, firewall, etc. Best is to see what your activity log says first and change settings based on it.
Activity Log Viewer and
Glossary are your best allies. Also use this guide for solutions.
If you want to change any of the IP block settings,
you can do so here. Or, to decrease auto-block expiration,
please see here.
|
| Not getting 2FA login code, can't login at all. | You use 2FA-by email but not getting email with 2FA login code. |
|
Shield uses WordPress' normal email sending system. If email isn't arriving, that means that it's getting blocked somewhere. You can check your activity log and see that email is probably sent. The problem with using WordPress and your server to send emails is that it's unpredictable and unreliable. It might work today, and not tomorrow, or not work at all. WordPress sites and servers just aren't meant to send emails. We discuss this further here. You'll need to assess your email deliverability on your WordPress site by using a dedicated and properly configured email system such as Postmark. If you're a ShieldPRO customer, you can also use our SureSend for admins - a dedicated email delivery service to send the 2FA code. |
| 2FA code accepted but reverted back to the OTP screen. | You supply the 2FA login code but instead of being logged in, you're sent back to the OTP screen - prompted to supply the code again. |
In this case,
forceoff likely won't work. It's probably page cache.
|
Page caching simply returns data/pages from “memory”, regardless of what plugins you have installed, or removed. So if your caching plugin (or system or even browser) caches a Shield block or OTP page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin. We explain this further in our blog post here. |
| 2FA Google Authentication, can't login at all (OTP screen). | You've lost your phone, or replaced or reset and cannot supply your GA code. | Reset Google Authenticator for your user account by following this guide here. | We recommend using Authy App for Google Authenticator backups. |
| 2FA (OTP) timeout expired, can't login. | For example, you receive 2FA login code but can't use it because the OTP timeout has expired. | Use filter to extend this timeout by following the guide outlined here. | Shield's 2FA timeout defaults to 5 minutes. This means that a user must supply their 2FA code(s) within this time or they'll need to start again (re-login). Some email providers can be a bit slow at times with their email delivery, and 5 minutes isn't long enough. To provide a bit more time, you can use a filter to extend the timeout to as many minutes as you need. |
| Firewall block warning, offense triggered, not blocked entirely. Still have access to your site admin. | You were blocked by the ShieldPRO. Something in the URL, Form or Cookie data wasn't appropriate. Warning: You have X remaining offenses(s) against this site and then your IP address will be completely blocked. Seriously, stop repeating what you are doing or you will be locked out. |
Follow the guide outlined in this article here. |
If you're a ShieldPRO customer, we highly recommend having auto-unblock link sent by email option turned on. In this way, when you're still logged in but blocked entirely, you can unblock yourself instantly. Regarding firewall, there is an option " Ignore Administrators". Not recommended but you can use it if you want. |
| Keep getting logged out. | You login, but then keep getting logged out repeatedly. |
|
Apart from the recommended steps, it would be also good to check your IP source detection settings with Shield. Also, clear/disable page cache. |
| Security Admin warning, offense triggered, not blocked entirely. | Failed authentication using Security Admin PIN. |
Follow the guide outlined in this article here. |
If you're a ShieldPRO customer, we highly recommend having ' Allow Email Override' option turned on. In this way, you can disable Security Admin and unblock yourself instantly. |
| You load your ' wp-login.php' page but getting 404 error - can't login at all. |
Not Found |
|
If you've renamed WordPress login page (wp-login.php), the only way to access it is through the new URL you have created. Otherwise, you'll get 404 error. After you hide WordPress login page, this is what can happen and what behaviour you can expect. If you try to access your custom login URL you should not be getting 404 error. But if you do, this is likely page caching. Often caching can cause problems if it's misconfigured or the cache is stale. If you're going to use Caching - if anything ever stops working disable and clear your caches and then check functionality. If it's working again, try re-enabling your cache. You can read a bit more about this approach here. |
| Failed CAPTHA warning, offense triggered, not blocked entirely. | Whoops. CAPTCHA was not submitted. Warning: Repeated login attempts that fail will result in a complete ban of your IP Address. |
|
We highly recommend using our new AntiBot Detection Engine (ADE). This will completely remove the need for WordPress login form CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox. If you're ShieldPRO customer, using custom login form and getting blocked by failed CAPTCHA, please see here. |
| CAPTCHA not loading | CAPTCHA doesn't load at all, you see only "Loading...". |
|
Often caching can cause problems if it's misconfigured or the cache is stale. This can affect plugin functionality. More Info We highly recommend using our new AntiBot Detection Engine (ADE). This will completely remove the need for WordPress login form CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox. If you're ShieldPRO customer, using custom login form and getting blocked by failed CAPTCHA, please see here. |
| Failed GASP (I'm a human) checkbox, offense triggered, not blocked entirely. | Please check that box to say you're human, and not a bot. Warning: Repeated login attempts that fail will result in a complete ban of your IP Address. |
|
We highly recommend using our new AntiBot Detection Engine (ADE). This will completely remove the need for WordPress login form CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox. If you're ShieldPRO customer, using custom login form and getting blocked by failed GASP checkbox, please see here. |
| Warning, Bot check failed, can't login at all. |
Shield Security Bot Check Failed. | Follow the guide outlined in this article here. | This blocking message is related to the AntiBot System Engine (ADE). |
| Forceoff doesn't work, still can't login. | Forceoff is in place but you still can't login as the result of Shield. |
|
If forceoff doesn't take any effect, it's likely caching. Page caching causes a lot of trouble for many things. If you get weird inconsistent behaviour like a plugin running on a site while the code isn’t even there, then it's caching. Page caching simply returns data/pages from “memory”, regardless of what plugins you have installed, or removed. So if your caching plugin (or system or even browser) caches a Shield block page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin. We explain this further in our blog post here. |
| AntiBot System warning message, not blocked, still have access to your site admin. | Important: Shield couldn't determine whether the NotBot JS was loading correctly on your site. | Follow the guide outlined in this article here. | This is a warning that the AntiBot detection Engine (ADE) doesn't work on your site. |
Bonus Tips
#1 Unblock your IP instantly
Instead of forceoff, you can unblock (remove your IP from the block list) instantly by using the 'unblock' file flag.
But, if you keep getting blocked, best is to go for a forceoff method and then use this guide for further actions and solutions.
#2 Recover your login with 2FA backup codes
If you lose access to your device or your email, you will need a backup code to regain access to your WordPress site.
Use Shield's Allow Backup Code feature to generate a backup code that can be used to login if Multi-Factor Authentication factors are unavailable.
#3 Activity Log Viewer and Activity Log Glossary
Activity Log is your note-taker. You can use it to see what exactly has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.
Activity Log Glossary will help you to interpret logs and tell you what plugin settings you should check and what actions to take.
Using both always is highly recommended.
#4 Page cache
Page cache is something you should clear/disable first when something ever stops working. Disable and clear your caches first and then check functionality.
Page cache (plugin, browser, system) can be very problematic for the dynamic sites.
For example, if your caching plugin caches a Shield block or OTP page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin.
We recommend these 5 golden rules to implement for your site optimisation.
#5 Plugin reset
If you decide to reset plugin to the default settings, please follow this guide here.
Please note that, when you reset, you'll loose the all previously saved settings.
#6 Disable plugin temporarily
If you can't access your site but need to temporarily disable plugin, you can do that via your FTP for that site.
Just browse the plugin folder: ..../wp-content/plugins/wp-simple-firewall/, and rename it to anything you want, i.e. 'dis-wp-simple-firewall'. The plugin will be automatically switched off.
When you disable plugin, you will not loose your previously saved settings.
#7 Helpdesk solution articles
Most of the issues are covered in our Help Center. Feel free to use it to search for the solution to the problem you have.
There are also Info and Blog links for the all plugin options and a Help Widget with instant access to the solution articles:
Important Points To Note
#1 Ensure that it's really Shield causing the problem
Sometimes it may look like the problem is caused by Shield but it isn't. If you're unsure if Shield or not, best is to disable it temporarily and test.
As mentioned above, you can do this via your FTP by renaming the plugin folder ' wp-simple-firewall/' to anything you want.
If the problem remains after disabling Shield, then it's not Shield - something else causing it on your site. We can't help in those scenarios but you can always try disabling all your other plugins and then re-enable 1 by 1 and test to find the culprit. You can do the same with your themes (disable all and switch to the WP default theme). Once you find the culprit, reach out the their support and let them know what you've found. Also, talk to your host - maybe they can help too.
#2 Plugin conflict
Shield Security plugin is split up into several distinct and independently running modules. Each module does something different and with the huge array of WordPress plugins out there, you may find a conflict between what's running on your site, and our security plugin.
This doesn't mean anything is broken, the problem is just the sharing of data between plugins and how each plugin handles things differently. Sometimes we can work around plugins, sometimes they can improve their code to work better with the plugin... it just depends.
Detecting the conflict is very important step to take because the problem can be resolved easily. Please see here how to debug and help developers.
How To Get Support
If you don't find this guide helpful and you cannot find the solution to the problem by using our Help Center, this is how to reach out to us directly.
ShieldPRO customers can log into their Pro account and use this support page here: