WordPress Admin Locked Before Login: Forensic Diagnosis and WP-CLI Recovery

WordPress Admin Locked Before Login: Forensic Diagnosis and WP-CLI Recovery

When /wp-admin is blocked before wp-login.php renders, password resets are irrelevant. The request is being intercepted before authentication flow.

Layered diagnosis

curl -I https://domain.com/wp-admin/

• 403: server/WAF layer block
• 200 with denial message: app/plugin interception

Validate core health:

wp core is-installed

Surgical recovery with WP-CLI

wp plugin list
wp plugin deactivate all-in-one-wp-security-and-firewall
# fallback
wp plugin deactivate all-in-one-wp-security-and-firewall --skip-plugins

Filesystem fallback:

mv wp-content/plugins/all-in-one-wp-security-and-firewall \
   wp-content/plugins/all-in-one-wp-security-and-firewall.bak

Persistent block source: .htaccess

Inspect and clean plugin-managed firewall blocks if they remain active after plugin deactivation.

Reverse proxy nuance

Misread X-Forwarded-For / edge IP headers can cause false lockouts in Cloudflare/reverse-proxy setups.

Fast recovery toolbox

wp option get siteurl && wp option get home
wp user set-role USER administrator
wp user create fixadmin admin@domain.com --role=administrator --user_pass="$(wp eval 'echo wp_generate_password(18);')"

Conclusion

This is a layered incident, not a password issue. Precise HTTP/app diagnosis and CLI-first remediation restore access quickly and safely.

This post is licensed under CC BY-NC.