Save 15% with code SAVE15

PluginsArmorProWordPress SecurityCitedProSEO & AI VisibilityBoostProSpeed & PerformanceServicesPricingAboutAccount

Troubleshooting

Locked out, firewall false positives, 2FA issues, custom login problems, and getting help.

Last updated Feb 21, 2026

Locked out of WordPress

Brute force lockout

If you have been temporarily locked out due to failed login attempts, wait for the lockout duration to expire. The default lockout period is 15 minutes. After it expires, you can log in normally.

Permanent blacklist

If your IP has been added to the permanent blacklist:

  1. Connect to your site via FTP/SFTP
  2. Navigate to /wp-content/plugins/
  3. Rename the armorpro folder to armorpro-disabled
  4. Log in to WordPress normally at /wp-login.php
  5. Rename the folder back to armorpro
  6. Go to ArmorPro → Access and remove your IP from the blacklist

Alternatively, if you have database access via phpMyAdmin or WP-CLI, you can clear the armor_blacklist table directly to remove all blacklisted IPs.

Custom login URL forgotten

If you cannot remember your custom login URL:

  1. Connect to your site via FTP/SFTP
  2. Open wp-config.php
  3. Add this line: 
    define('ARMOR_DISABLE', true);
  4. Access /wp-login.php normally
  5. Go to ArmorPro → Settings and note or change your custom login URL
  6. Remove the ARMOR_DISABLE line from wp-config.php

Emergency disable

Adding define('ARMOR_DISABLE', true); to wp-config.php bypasses all ArmorPro protection. Use this as a last resort to regain access, and remove it as soon as the issue is resolved.

Firewall false positives

If the firewall is blocking legitimate requests:

  1. Go to ArmorPro → Firewall and check the firewall log for the blocked request
  2. Note the rule description that matched
  3. Open the Pattern Manager and search for that description
  4. Disable the specific pattern rather than turning off the entire firewall
  5. If the blocked requests are from your own IP, add it to the whitelist in ArmorPro → Access

If you are using the Enhanced Firewall (WAF), click Force Sync after changing patterns to update the cached pattern file.

Two-factor authentication issues

Invalid code

TOTP codes are time-sensitive and require your device clock to be accurate. Ensure automatic time sync (NTP) is enabled on your phone or authentication device. ArmorPro allows 1 window (30 seconds) of clock drift to account for minor time differences.

Lost phone

Use one of your backup codes to log in. After logging in, disable two-factor authentication from your profile and set it up again with your new device. Each backup code can only be used once.

All backup codes used

If you have used all backup codes and cannot access your authenticator, another administrator must disable 2FA from your user profile page in WordPress.

Passkey issues

Browser not offering passkey

Passkeys require HTTPS and a browser that supports WebAuthn. Verify that your site is loaded over HTTPS and that you are using a supported browser (Chrome, Safari, Firefox, or Edge).

Passkey not working after OS update

Operating system updates can occasionally reset or invalidate stored passkeys. Delete the old passkey in ArmorPro and register a new one.

Clone detection warning

If you see a sign count mismatch warning, it means the passkey's sign_count is lower than expected, which could indicate the key has been duplicated. Delete the passkey and register a new one as a precaution.

Enhanced Firewall not working

  1. Go to ArmorPro → Firewall and click Verify to check if the WAF is active
  2. If verification fails, confirm that your hosting environment supports auto_prepend_file
  3. Click Force Sync to re-upload the WAF configuration files
  4. Some shared hosts block auto_prepend_file. Contact your host to confirm it is available, or use the standard firewall mode instead
  5. After a server migration, the Enhanced Firewall must be reinstalled. Toggle it off and back on to reconfigure

Security headers causing issues

CSP breaking frontend

If your site's layout or functionality breaks after enabling Content Security Policy, disable CSP immediately. Then configure it in report-only mode first, monitor the browser console for violations, and adjust your policy before switching to enforcement.

HSTS lock-in

Once HSTS is enabled with a long max-age, browsers that have visited your site will refuse HTTP connections until the max-age expires. Start with a short max-age (300 seconds) while testing to avoid getting locked into HTTPS prematurely.

X-Frame-Options blocking embeds

If third-party services need to embed your site in an iframe, switch X-Frame-Options from DENY to SAMEORIGIN, or disable the header entirely if you need to allow cross-origin framing.

Country blocking issues

GeoIP database not downloading

If the GeoIP database fails to download automatically, go to ArmorPro → Settings and use the manual download button. Ensure your server can make outbound HTTPS requests to MaxMind's download servers.

Wrong country detected

MaxMind's GeoLite2 database provides "best effort" geolocation. Visitors using VPNs or proxies will show the exit node's country rather than their actual location. This is expected behavior and cannot be avoided with IP-based geolocation.

Legitimate visitors blocked

If specific visitors are being blocked by country rules, add their IP addresses to the whitelist in ArmorPro → Access. Whitelisted IPs bypass country blocking. Alternatively, consider switching your country blocking mode if it is too restrictive.

Plugin conflicts

Other security plugins

Running multiple security plugins causes duplicate headers, conflicting firewall rules, and double resource usage. Deactivate the conflicting plugin and use ArmorPro as your sole security solution for login protection, firewall, and security headers.

Caching plugins

ArmorPro is compatible with all major caching plugins. However, if blocks are not working as expected, ensure your caching plugin is not serving stale cached pages to IPs that should be blocked. Exclude the login URL and admin area from caching.

Getting help

If you cannot resolve the issue with the steps above:

  1. Go to ArmorPro → Tools and run health checks. Include the results when contacting support.
  2. Enable debug mode temporarily for detailed diagnostic logging.
  3. Contact support at srworks.co/contact/ with your WordPress version, PHP version, and server type (Apache, NGINX, LiteSpeed, etc.).
Previous← Settings & Tools