locked out

How to fix iThemes Security lockouts

Categories:
Web design
By Colin
Last updated
06 January 2022

If you have a Wordpress website, you might have come across iThemes Security, which is a plugin to secure and protect your site. 

One of its features is security lockouts, so if it suspects someone dodgy is trying to get into your admin area, it will block their IP address from accessing the login screen.

Most of the time this is useful, until you find it's locking innocent users out.

If this happens, you can usually release lockouts from the iThemes dashboard, the iThemes documentation has all the info.

iThemes is locking everyone out

This is a bigger problem, and we’ve run into a few times on clients’ websites. Whenever anyone tries to log into their account – both customers and administrators – they hit the lockout screen.

Picture 1 v2

Not what you want your customers to see.

If iThemes is locking all users out of your website, and none of the lockout releases in the documentation are working, the next thing to check is your cache plugin. 

iThemes uses a command “DONOTCACHEPAGE” to tell cache plugins not to save the lockout screen, however not all cache plugins honour this.

So as soon as someone is locked out of the login screen and sees the lockout page, the cache thinks it's a new page and saves it. Now everyone will see the lockout page and because nobody can get past it, the cache never knows that it needs to update.

WP Fastest Cache is the main offender in our experience – and it took a lot of head scratching and Googling to work this out!

The simple solution is just to use a different cache plugin. We’re big fans of WP Rocket because it’s dead easy to configure, well documented, plays well with most major plugins, and just works!