Can't Access Your Own Site? Read This Guide

If you ever get blocked/locked out of your own site as a result of Shield, for whatever reason, you can always forcefully turn off all restrictions made by it. This will keep plugin active allowing you to get back in and change settings (debug the problem).

Please note that, if you remove a "forceoff" file before changing plugin settings (debug the problem), the problem will return. Removing this file is always the last action (step) to take.  

If you are a site owner/admin, feel free to use this guide to search for the type of the block or block message and follow the recommended steps. You can also find some useful info/suggestions, bonus tips and important points to note. 

Unblocking & Debugging Guide For Site Owners/Admins

Block Type Message
Recommended Action (steps)
Useful Info and Suggestions
Blocked/blacklisted by Shield entirely.




You've been blocked by the ShieldPRO plugin. 
Time remaining on the black list: X minutes
You tripped the security plugins defenses a total of X times making you a suspect. 
  1. Use a forceoff method outlined here
  2. Log into your site
  3. Remove your IP from the block list
  4. Check your audit trail. Find the block entry. It'll tell you what exactly have happened, why you were blocked. 
  5. Use Audit Trail Glossary to interpret that block entry
  6. Change plugin settings based on that audit trail entry
  7. Remove a "forceoff" file you've previously created (#1)

These steps are best explained here

This is the general block message. It means that the offense limit has been reached and the IP is blocked entirely. 
This could be the combination of offenses, i.e. failed login, firewall, etc. Best is to see what your audit trail says first and change settings based on it. Audit trail and Glossary are your best allies. Also use this guide for solutions.
If you want to change any of the IP block settings, you can do so here. Or, to decrease auto-block expiration, please see here.
Not getting 2FA login code, can't login at all. You use 2FA-by email but not getting email with 2FA login code. 
  1. Use a forceoff method outlined here.
  2. Log into your site
  3. Disable 2FA by email temporarily (through Login Guard module)
  4. Remove a "forceoff" file
  5. Solve email deliverability issue (use a dedicated and properly configured email system)
  6. Re-enable 2FA by email 



Shield uses WordPress' normal email sending system. If email isn't arriving, that means that it's getting blocked somewhere. You can check your audit trail and see that email is probably sent. The problem with using WordPress and your server to send emails is that it's unpredictable and unreliable. It might work today, and not tomorrow, or not work at all. WordPress sites and servers just aren't meant to send emails. We discuss this further here.

You'll need to assess your email deliverability on your WordPress site by using a dedicated and properly configured email system such as Postmark.

If you're a ShieldPRO customer, you can also use our SureSend for admins - a dedicated email delivery service to send the 2FA code.

2FA code accepted but reverted back to the OTP screen. You supply the 2FA login code but instead of being logged in, you're sent back to the OTP screen - prompted to supply the code again. 
In this case, forceoff likely won't work. It's probably page cache. 
  1. Clear/disable cache (plugin, system, browser)
  2. Also try another browser
  3. Login
Page caching simply returns data/pages from “memory”, regardless of what plugins you have installed, or removed. So if your caching plugin (or system or even browser) caches a Shield block or OTP page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin.

We explain this further in our blog post here.
2FA Google Authentication, can't login at all (OTP screen). You've lost your phone, or replaced or reset and cannot supply your GA code.  Reset Google Authenticator for your user account by following this guide here. We recommend using Authy App for Google Authenticator backups.
2FA (OTP) timeout expired, can't login. For example, you receive 2FA login code but can't use it because the OTP timeout has expired.  Use filter to extend this timeout by following the guide outlined here. Shield's 2FA timeout defaults to 5 minutes. This means that a user must supply their 2FA code(s) within this time or they'll need to start again (re-login).

Some email providers can be a bit slow at times with their email delivery, and 5 minutes isn't long enough. To provide a bit more time, you can use a filter to extend the timeout to as many minutes as you need.


Firewall block warning, offense triggered, not blocked entirely. Still have access to your site admin.  You were blocked by the ShieldPRO. Something in the URL, Form or Cookie data wasn't appropriate.
Warning: You have X remaining offenses(s) against this site and then your IP address will be completely blocked.
Seriously, stop repeating what you are doing or you will be locked out.
Follow the guide outlined in this article here. 
If you're a ShieldPRO customer, we highly recommend having auto-unblock link sent by email option turned on. In this way, when you're still logged in but blocked entirely, you can unblock yourself instantly. 

Regarding firewall, there is an option " Ignore Administrators". Not recommended but you can use it if you want. 
Keep getting logged out. You login, but then keep getting logged out repeatedly. 
  1. Use a forceoff method outlined here
  2. Log into your site
  3. Remove your IP from the block list (if needed)
  4. Check your audit trail. It'll tell you what exactly have happened.
  5. Use Audit Trail Glossary to interpret that block entry. This is probably related to your User Session  Management settings.
  6. Change plugin settings based on that audit trail entry
  7. Remove a "forceoff" file you've previously created (#1)
Apart from the recommended steps, it would be also good to check your IP source detection settings with Shield

Also, clear/disable page cache. 
Security Admin warning, offense triggered, not blocked entirely.  Failed authentication using Security Admin PIN.
Follow the guide outlined in this article here.
If you're a ShieldPRO customer, we highly recommend having ' Allow Email Override' option turned on. In this way, you can disable Security Admin and unblock yourself instantly. 
You load your ' wp-login.php' page but getting 404 error - can't login at all. 

Not Found
The requested URL /wp-loginphp was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at Port 443

  1. Use a forceoff method outlined here
  2. Log into your site
  3. Remove your IP from the block list
  4. Go to the Login Guard module => Hide WP Login Page => remove the URL you have previously created => Save.

    More Info
  5. Remove a "forceoff" file you've previously created (#1)
If you've renamed WordPress login page (wp-login.php), the only way to access it is through the new URL you have created. Otherwise, you'll get 404 error. 

After you hide WordPress login page, this is what can happen and what behaviour you can expect

If you try to access your custom login URL you should not be getting 404 error. But if you do, this is likely page caching.
Often caching can cause problems if it's misconfigured or the cache is stale.
If you're going to use Caching - if anything ever stops working disable and clear your caches and then check functionality. If it's working again, try re-enabling your cache.
You can read a bit more about this approach here.
Failed CAPTHA warning, offense triggered, not blocked entirely.  Whoops. CAPTCHA was not submitted.
Warning: Repeated login attempts that fail will result in a complete ban of your IP Address.
  1. Use a forceoff method outlined here
  2. Log into your site
  3. Remove your IP from the block list
  4. Check your CAPTCHA configuration (if keys are correct, etc.). See also the common CAPTCHA errors and solutions here.
  5. Solve the problem and then remove a "forceoff" file you've previously created (#1)
We highly recommend using our new AntiBot Detection Engine (ADE). This will completely remove the need for WordPress login form CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox.

If you're ShieldPRO customer, using custom login form and getting blocked by failed CAPTCHA, please see here.
CAPTCHA not loading CAPTCHA doesn't load at all, you see only "Loading...".

  1. Use a forceoff method outlined here
  2. Log into your site
  3. Remove your IP from the block list (if needed)
  4. Go to the General settings => remove site and secret keys to disable it entirely

    More Info. 
  5. Remove a "forceoff" file you've previously created (#1) 
Often caching can cause problems if it's misconfigured or the cache is stale. This can affect plugin functionality. More Info

We highly recommend using our new AntiBot Detection Engine (ADE). This will completely remove the need for WordPress login form CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox.

If you're ShieldPRO customer, using custom login form and getting blocked by failed CAPTCHA, please see here.


Failed GASP (I'm a human) checkbox, offense triggered, not blocked entirely. Please check that box to say you're human, and not a bot.

Warning: Repeated login attempts that fail will result in a complete ban of your IP Address.
  1. Use a forceoff method outlined here
  2. Log into your site
  3. Remove your IP from the block list (if needed)
  4. Go to the Login Guard module => and disable Bot Protection option
  5. Remove a "forceoff" file you've previously created (#1) 
We highly recommend using our new AntiBot Detection Engine (ADE). This will completely remove the need for WordPress login form CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox.

If you're ShieldPRO customer, using custom login form and getting blocked by failed GASP checkbox, please see here.
Warning, Bot check failed, can't login at all.

Shield Security Bot Check Failed. Follow the guide outlined in this article here. This blocking message is related to the AntiBot System Engine (ADE)
Forceoff doesn't work, still can't login. Forceoff is in place but you still can't login as the result of Shield. 
  1. Clear/disable cache (plugin, system, browser)
  2. Try forceoff again
If forceoff doesn't take any effect, it's likely caching.

Page caching causes a lot of trouble for many things. If you get weird inconsistent behaviour like a plugin running on a site while the code isn’t even there, then it's caching.

Page caching simply returns data/pages from “memory”, regardless of what plugins you have installed, or removed. So if your caching plugin (or system or even browser) caches a Shield block page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin.

We explain this further in our blog post here.
AntiBot System warning message, not blocked, still have access to your site admin.  Important: Shield couldn't determine whether the NotBot JS was loading correctly on your site. Follow the guide outlined in this article here. This is a warning that the AntiBot detection Engine (ADE) doesn't work on your site. 

Bonus Tips

#1 Unblock your IP instantly

Instead of forceoff, you can unblock (remove your IP from the block list) instantly by using the 'unblock' file flag.

But, if you keep getting blocked, best is to go for a forceoff method and then use this guide for further actions and solutions.

#2 Recover your login with 2FA backup codes

If you lose access to your device or your email, you will need a backup code to regain access to your WordPress site.

Use Shield's Allow Backup Code feature to generate a backup code that can be used to login if Multi-Factor Authentication factors are unavailable.

#3 Audit Trail logger and Audit Trail Glossary

Audit Trail is your note-taker. You can use it to see what exactly has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong. 

Audit Trail Glossary will help you to interpret logs and tell you what plugin settings you should check and what actions to take. 

Using both always is highly recommended. 

#4 Page cache

Page cache is something you should clear/disable first when something ever stops working. Disable and clear your caches first and then check functionality. 

Page cache (plugin, browser, system) can be very problematic for the dynamic sites

For example, if your caching plugin caches a Shield block or OTP page, then that’s all you will see until you clear/disable the cache. Even if you remove the plugin.

We recommend these 5 golden rules to implement for your site optimisation.

#5 Plugin reset

If you decide to reset plugin to the default settings, please follow this guide here.

Please note that, when you reset, you'll loose the all previously saved settings.

#6 Disable plugin temporarily 

If you can't access your site but need to temporarily disable plugin, you can do that via your FTP for that site.

Just browse the plugin folder: ..../wp-content/plugins/wp-simple-firewall/, and rename it to anything you want, i.e. 'dis-wp-simple-firewall'. The plugin will be automatically switched off. 

When you disable plugin, you will not loose your previously saved settings.

#7 Helpdesk solution articles

Most of the issues are covered in our Help Center. Feel free to use it to search for the solution to the problem you have. 

There are also Info and Blog links for the all plugin options and a Help Widget with instant access to the solution articles:

Important Points To Note

#1 Ensure that it's really Shield causing the problem

Sometimes it may look like the problem is caused by Shield but it isn't. If you're unsure if Shield or not, best is to disable it temporarily and test.  

As mentioned above, you can do this via your FTP by renaming the plugin folder ' wp-simple-firewall/' to anything you want. 

If the problem remains after disabling Shield, then it's not Shield - something else causing it on your site. We can't help in those scenarios but you can always try disabling all your other plugins and then re-enable 1 by 1 and test to find the culprit. You can do the same with your themes (disable all and switch to the WP default theme). Once you find the culprit, reach out the their support and let them know what you've found. Also, talk to your host - maybe they can help too. 

#2 Plugin conflict

Shield Security plugin is split up into several distinct and independently running modules.  Each module does something different and with the huge array of WordPress plugins out there, you may find a conflict between what's running on your site, and our security plugin.

This doesn't mean anything is broken, the problem is just the sharing of data between plugins and how each plugin handles things differently.  Sometimes we can work around plugins, sometimes they can improve their code to work better with the plugin... it just depends.

Detecting the conflict is very important step to take because the problem can be resolved easily. Please see here how to debug and help developers.

How To Get Support

If you don't find this guide helpful and you cannot find the solution to the problem by using our Help Center, this is how to reach out to us directly.

ShieldPRO customers can log into their Pro account and use this support page here:

https://getshieldsecurity.com/support/