🎉 Free WordPress fix for our first 50 sites — in exchange for an honest review. Claim a spot →

Locked Out of WordPress Admin: Why It Happens and How to Fix It

The short answer If you're locked out of WordPress admin, the cause is almost always one of a few things: a forgotten or reset password, a login redirect loop from incorrect site URL settings, a corrupted .htaccess file, or a security or 2FA plugin misbehaving. Your site and content are still intact behind the login screen, so this is recoverable. Below are the real causes and the safe ways to get back in.

What you're seeing

  • wp-admin keeps redirecting you back to the login page after you enter the correct credentials
  • You see "Error: The password you entered is incorrect" even though the password is right
  • A 2FA or security plugin asks for a code you no longer have, or blocks your IP entirely
  • The login page loads but submitting it reloads the same page with no error (a login loop)
  • You get "You do not have sufficient permissions" or are told your account isn't an administrator

What causes it

Forgotten or changed password

The simplest cause: the password no longer matches, often after a password manager update or a teammate's change. WordPress's own reset link fixes this when your site can send email. The complication is that many WordPress sites can't reliably send mail, so the reset email never arrives.

Login redirect loop from wrong Site URL settings

If the WordPress Address (siteurl) or Site Address (home) values are wrong, often after an HTTPS, domain, or migration change, wp-admin will bounce you straight back to the login screen. You enter correct credentials and just land on login again. This is one of the most common 'I can't log in' loops and it's fixed by correcting those two values.

Corrupted or misconfigured .htaccess

A broken .htaccess file, from a bad plugin write, a security rule, or a failed edit, can block access to wp-admin or trigger redirect errors. The login form may not load at all, or it loops. Regenerating a clean .htaccess usually restores access.

A security or 2FA plugin gone wrong

Plugins like Wordfence, iThemes/Solid Security, or a two-factor plugin can lock you out by blocking your IP, demanding a 2FA code you've lost, or limiting login attempts. If you can't satisfy the prompt, the plugin itself is now the barrier. It has to be disabled from outside the dashboard to get back in.

Role or capability problem

Sometimes you can log in but your account is no longer an administrator, so the admin menu is gone or you see 'insufficient permissions.' This happens after a botched user edit, a role-changing plugin, or a partial restore. Your user role has to be reset to administrator at the database level.

Hacked and locked out

If an attacker changed your password or deleted your admin account, you'll be locked out with no warning. This is more serious than the others because the site is also compromised, not just the login. Getting back in is step one; cleaning the hack and closing the entry point is the real job.

How to fix it yourself

Try these from least to most risky, and back up your site before any database or file change.

  1. Use the password reset link first

    On the login page, click 'Lost your password?' and enter your username or email. If a reset email arrives, you're back in within a minute. If it never shows up, your site likely can't send mail, so move on to the next steps.

  2. Clear cookies and try a clean browser

    A stale login cookie or aggressive cache can cause a login loop that looks like a real lockout. Clear cookies for your domain, or open the login page in a private/incognito window. This costs nothing and rules out the easiest cause before you touch files.

  3. Deactivate plugins via FTP or your host's file manager

    If a security or 2FA plugin is blocking you, connect via FTP/SFTP and rename the folder wp-content/plugins/ to plugins-off (or rename just the suspect plugin's folder). That deactivates them so you can log in, then you rename it back and re-enable plugins one at a time. This is safe to undo but touches live files, so back up first.

  4. Reset your password or role in the database (riskier)

    Using phpMyAdmin or WP-CLI, you can set a new password (wp_users) or restore your administrator role (wp_usermeta). This works when email is broken, but a wrong edit here can break your site, so export a database backup before you start. If you're not comfortable editing SQL directly, stop here and get help.

  5. Fix the Site URL or regenerate .htaccess (riskier)

    For a redirect loop, correct siteurl and home in the wp_options table (or define WP_HOME / WP_SITEURL in wp-config.php), and rename a suspect .htaccess so WordPress writes a clean one. These are powerful fixes but easy to get wrong, so back up the database and the .htaccess file first.

Rather not risk it? We'll fix it for you.

If the reset email never arrives, the database steps make you nervous, or you suspect the site was hacked, that's the right time to hand it off. Mend gets you back into wp-admin fast, and we work backup-first, so a full backup is taken before we touch anything. Every fix is documented so you know exactly what was changed, and it's covered by our money-back guarantee.

Backup-first Documented fix Money-back guarantee
$129
Quick Fix · flat
Get it fixed →

Frequently asked

Why does WordPress keep redirecting me back to the login page?
A login redirect loop is almost always caused by incorrect Site URL settings (siteurl/home), a stale login cookie, or a corrupted .htaccess file. Try clearing cookies and using an incognito window first. If that doesn't work, the Site URL values usually need correcting in the database or wp-config.php.
It says my password is incorrect but I know it's right. What's going on?
This usually isn't really about the password. A caching plugin or stale cookie, a wrong Site URL setting, or a security plugin silently blocking the login can all produce a 'wrong password' or loop. Resetting the password via the database confirms it, but if a fresh reset still fails, the cause is elsewhere.
The password reset email never arrives. How do I get back in?
Many WordPress sites can't reliably send email, so the reset link never reaches you. In that case you reset the password directly in the database with phpMyAdmin or WP-CLI, or via FTP. Back up first, because a wrong database edit can take the site down.
I lost my 2FA device or codes. Can I still get into wp-admin?
Yes. Connect via FTP/SFTP and rename the two-factor plugin's folder in wp-content/plugins/ to disable it, which removes the 2FA prompt so you can log in. Then re-enable it and set up two-factor again with a device you control. If you're not comfortable doing this on a live site, we can handle it for you.
Could being locked out mean my site was hacked?
It can. If your admin password changed on its own or your account vanished, treat it as a possible compromise. Getting back in is only the first step; the site then needs to be scanned and cleaned and the entry point closed, which is exactly the kind of job we handle backup-first and fully documented.
More WordPress fixes

How to Fix the WordPress White Screen of Death

The WordPress white screen of death (WSoD) is a blank page with no error message, served w...

There Has Been a Critical Error on This Website: What It Means and How to Fix It

"There has been a critical error on this website" is WordPress telling you a PHP fatal err...

How to Fix the WordPress 500 Internal Server Error

A 500 internal server error on WordPress is a generic message that means the server hit a...