That sinking feeling when you type in your WordPress login URL and the site just will not let you in? Yeah, we have all been there. Whether you are an SMB owner trying to publish a quick update or a freelancer juggling client sites, getting locked out of wp-admin is stressful, especially when there is content to ship or a customer waiting.
The good news: almost every lockout has a fix, and most take less than 15 minutes once you know where to look. In this guide we will walk through the most common reasons people get booted out of WordPress, how to recover access using your hosting panel, SSH or the database, and a few simple habits to make sure it does not happen again.
Why You Got Locked Out (The Usual Suspects)
Wrong login URL. Sounds silly, but it happens all the time. Many security plugins rename the default /wp-admin or /wp-login.php to something custom like /secret-door. Forget that custom slug after a few months away and you will hit a 404 every time. Check your password manager, old emails from your developer, or the plugin settings (if you can reach them) for the real URL.
Lost 2FA device or codes. Two-factor authentication is brilliant until you swap phones, wipe an app, or lose your backup codes. WordPress will keep asking for that six-digit code and you will keep not having it. This is one of the most common lockout scenarios we see at TPC Hosting, and luckily one of the easiest to fix from the server side.
Plugin or theme conflict. A bad update, a clash between two security plugins, or a corrupted theme file can throw the famous white screen of death or an infinite redirect loop on the login page. You are not locked out as such, but you cannot get in either. Same outcome, different cause.
Hacked or compromised site. If your admin password suddenly stops working, or you see unfamiliar user accounts in your inbox notifications, you may have been hit. Attackers often change the admin email and password to lock the real owner out while they inject spam or malware.
Recovery Option 1: Through Your Hosting Panel
This is the friendliest route and usually the fastest. Log into your TPC Hosting control panel and head to the file manager or the WordPress toolkit if your plan includes one. Most managed WordPress setups let you reset the admin password, disable plugins in bulk, or switch the active theme with a couple of clicks, no code required.
If you suspect a plugin conflict, rename the /wp-content/plugins folder to something like plugins-off via the file manager. WordPress will deactivate every plugin at once and you should be able to log back in. Then rename it back and reactivate plugins one by one until you find the culprit. Same trick works for themes by renaming the active theme folder, which forces WordPress to fall back to a default like Twenty Twenty-Four.
For 2FA lockouts, the file manager method is gold. Navigate to /wp-content/plugins/ and rename the folder of your 2FA plugin (for example, wp-2fa or google-authenticator). Log in with just your password, sort out the 2FA settings, then rename the folder back.
Recovery Option 2: SSH and Database (For the Brave)
If your hosting panel feels limited or you prefer the command line, SSH gives you full control. Connect with your SSH credentials and navigate to your WordPress root. Using WP-CLI you can reset a password in one line: wp user update admin --user_pass=NewStrongPass123. Need to create a fresh admin user? wp user create rescue you@email.com --role=administrator --user_pass=TempPass. Job done.
No WP-CLI? Open phpMyAdmin from your hosting panel or connect to MySQL directly. Find the wp_users table, locate your username, and edit the user_pass field. Set the function to MD5 and type your new password in the value box. Save, and you can log in with that password immediately. WordPress will rehash it properly on first login.
For deeper trouble, like a hacked site, check the wp_users table for unfamiliar accounts and the wp_options table for a tampered siteurl or admin_email. Delete suspicious users, restore the correct URLs, and then change every password from a clean device.
How to Stop This Happening Again
Prevention is way less stressful than recovery. Start by storing your real login URL, admin username, and recovery codes in a proper password manager like 1Password or Bitwarden. Print your 2FA backup codes and tape them inside a drawer if you have to, just do not lose them.
Keep WordPress core, plugins, and themes updated, but stagger updates rather than clicking update all on a Friday afternoon. Take a backup before each round. Most TPC Hosting plans include automatic daily backups, so you can roll back in one click if an update goes sideways.
Finally, lock down the basics: a strong unique admin password, a limited-login-attempts plugin, and a security scanner that emails you if files change unexpectedly. Add a non-admin user for daily writing tasks so your top-level account is rarely exposed. Small habits, huge payoff.
Frequently Asked Questions
Below are a few quick answers to the questions we hear most often when someone is locked out.
FAQ
How do I find my WordPress login URL if I changed it?
Check your password manager, browser history, or any emails from when the site was built. If you still cannot find it, log into your hosting file manager and look at the settings of your security plugin (often WPS Hide Login or iThemes Security) in /wp-content/plugins/ to see the custom slug.
Can I reset my WordPress password without email access?
Yes. Use phpMyAdmin from your hosting panel to edit the user_pass field in the wp_users table, set the function to MD5, and enter a new password. Alternatively, use WP-CLI over SSH with the wp user update command.
What should I do first if I think my site has been hacked?
Take the site offline or enable maintenance mode, change all passwords from a clean device, scan for malware, and restore from a known clean backup. Then audit user accounts and update everything before going live again.
