How to Work Around WPEngine’s “Too many failed login attempts”

A friend of mine recently ran into trouble while logging in to their WordPress-driven news website, hosted on WPEngine. When that friend opened the standard WordPress login page, they would see a message:

Error: Too many failed login attempts. Please try again in [time duration]

It turns out that WPEngine has a “must use” plugin installed for all of their users called “Limit Login Attempts.” While it’s typically a good security measure to leave that untouched, it was particularly inconvenient since it couldn’t be disabled or removed temporarily so WordPress access was possible. And since this was in the very early morning, WPEngine support hours didn’t start for another 2 hours (and may not respond for most of the day). We really needed to get access sooner since it happens to be a very active news site, and content needed to go out.

And you would think modifying a couple rows in the wp_options table would have done the trick, right? Nope. For the life of me, I couldn’t figure out where this plugin was storing its lockout information, because it wasn’t in the database options table where the plugin code suggested it would be.

Anyway, enough details. I finally worked around it by removing the initialization hook that the plugin registers in WordPress. I did this by:

  1. Opening up SFTP to wp-content/plugins
  2. Picking a plugin folder which I know is active on the site
  3. Opening that folder and opening the core file for editing (it should have the same name as the parent folder)
  4. Placing this line at the very top, after the opening <?php:
    remove_action(‘plugins_loaded’, ‘limit_login_setup’, 99999);
  5. Save

That should unregister the limit login attempts plugin hook so you can get access to WordPress for the time being. You’ll definitely want to remove that little hack at the end of the next 24 hours, since that plugin is there for a good reason.

Hope this helps somebody —

This entry was posted in Wordpress Development. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.
  • Eric

    For anyone interested in finding where the plugin stores the IP address to lock people out, run this query in phpmyadmin:

    SELECT option_value as row_count FROM wp_options WHERE option_name = “limit_login_lockouts”

    That will show you a long serialized string. Just remove the option_value and you should be able to log in again. :-)

  • katzgrau

    I actually would have mentioned this, but the issue for me was that clearing or deleting that row (and others) didn’t affect anything for me. I believe it had something to do with WPEngine’s object caching, but I don’t know for sure.

  • http://retreat.guru Deryk Wenaus

    another way is to rename the limit-login-attempts plugin folder in mu-plugins. disables the plugin altogether.

  • Vincent

    This is the best answer.

  • Broadstreet

    So, for whatever reason, in my case the directory permissions were set so that I could read but not edit the file or its permissions. I would have opted for this route but didn’t have the time to work out the problem.

  • http://danielwhyte4.com/ Daniel Whyte IV

    I tried this but it made the login page not load at all.

  • http://danielwhyte4.com/ Daniel Whyte IV

    Renaming the mu-plugins folder is what worked for me.

  • katzgrau

    I might not agree that renaming the plugin folder is the best answer, since you’re intentionally breaking WordPress in order to make it disable a plugin. It’s like pulling the plug to restart a computer.

    Using the hook method in the post uses WordPress’ natural plugin/hook mechanism to override the Login Limit plugin, which is much, much cleaner.

  • http://www.armando-ello.com/ Armando Ello

    Kenny your line does not work anymore..

  • http://www.armando-ello.com/ Armando Ello

    this is not very clear what to do exactly..thanks

  • http://www.armando-ello.com/ Armando Ello

    i dont have a plagin called mu-plugin, what does it stand for?