A friend of mine recently ran into trouble while logging in to their WordPress-driven news website, hosted on WPEngine. When that friend opened the standard WordPress login page, they would see a message:
Error: Too many failed login attempts. Please try again in [time duration]
It turns out that WPEngine has a “must use” plugin installed for all of their users called “Limit Login Attempts.” While it’s typically a good security measure to leave that untouched, it was particularly inconvenient since it couldn’t be disabled or removed temporarily so WordPress access was possible. And since this was in the very early morning, WPEngine support hours didn’t start for another 2 hours (and may not respond for most of the day). We really needed to get access sooner since it happens to be a very active news site, and content needed to go out.
And you would think modifying a couple rows in the wp_options table would have done the trick, right? Nope. For the life of me, I couldn’t figure out where this plugin was storing its lockout information, because it wasn’t in the database options table where the plugin code suggested it would be.
Anyway, enough details. I finally worked around it by removing the initialization hook that the plugin registers in WordPress. I did this by:
- Opening up SFTP to wp-content/plugins
- Picking a plugin folder which I know is active on the site
- Opening that folder and opening the core file for editing (it should have the same name as the parent folder)
- Placing this line at the very top, after the opening <?php:
remove_action(‘plugins_loaded’, ‘limit_login_setup’, 99999);
That should unregister the limit login attempts plugin hook so you can get access to WordPress for the time being. You’ll definitely want to remove that little hack at the end of the next 24 hours, since that plugin is there for a good reason.
Hope this helps somebody —Follow @katzgrau