A couple months ago, I got the iThemes Security WordPress plugin and set the auto-away mode from 12:00am to 6:00am. After all, I’m asleep at those times and it would make no sense to keep my admin login and backend open at these times. Or so I thought. There were nights where I would stay up late, and just recently on my trip to China, I was locked out in the middle of the local time of day!

In this situation, it’s not possible to unlock yourself by going to your WordPress admin, because it’s locked down. You’ll have to dig into your site’s files, via an FTP client or SSH. When you get to the plugin’s files, one line of code will disable the auto-away lockout until you can change the settings.

What you will need

  • An FTP or SSH Client
    • Preferred: an FTP client. I will demonstrate using the ever-popular FileZilla.
    • Alternate: (for experts only). Command-line SSH access. Must have a CLI text editor such as Vim or Emacs
  • If using the preferred method above: a text editor, such as Notepad++ or Sublime Text. Choice is up to you.
  • Your site’s FTP/SSH details. If you don’t know, ask your site/network administrator or manager. The details you will need are:
    • The FTP host name. Usually this is just your site’s address or something like ftp.yoursitename.com.
    • Port. By default this is 21, although secure connections require port 22.
    • Type of connection: SFTP or FTP.
    • FTP Username
    • FTP Password

Step 1: Getting connected

If you already know how to connect to your site via FTP or SSH, you can skip to Step 2.

Via FTP

Open FileZilla, go to File → Site Manager (Ctrl/Cmd + S). Click the “New Site” button and enter your site’s details. Then, hit the “Connect” button.

If you do not know your site’s FTP connection details, you will need to contact your site administrator.

Via SSH

In an SSH-supported terminal (Terminal for Mac OS/Linux, Cygwin/PuTTY for Windows), type:

ssh myusername@mysite

Replace myusername and mysite with the appropriate details. Then follow the instructions.

Step 2: Get to the plugin

Away mode itsec
The contents of the away-mode directory in FileZilla

In the FTP or SSH client, navigate to your WordPress root. Then, go to the following path:

wp-content/plugins/better-wp-security/core/modules/away-mode

Important note: Depending on when you installed the plugin, the better-wp-security folder may be named something like “ithemes-security“.

Comment: By editing just the Auto Away module, you are ensuring that the other security features of the plugin are not affected. You can also manually disable the plugin by creating a folder called disabled in your wp-content/plugins directory and moving the better-wp-security/ithemes-security folder within. However, this will not change the Auto Away settings once you put the plugin back in its place.

Now you should see a file called class-itsec-away-mode.php. Open this with your text editor. In FileZilla, right click the file, then select “View/Edit”.

Step 3: Edit the plugin file

The critical part. Perform a search for the line “public static function is_active” (Ctrl/Cmd + F in most editors). On the latest version of iThemes, this is on line 27. Now add a new line immediately below:

return false;

What this does is cause the away-mode module to automatically indicate to the plugin, “there is no lock-out in effect”.

Your code around the is_active function should now look like this. You added Line 2.

public static function is_active( $get_details = false ) {
	return false;
	require_once( dirname( __FILE__ ) . '/utilities.php' );

Save the file to the server. FileZilla users: save the file in your text editor and click “Yes” when prompted in FileZilla.

At this point, make sure not to close any FileZilla or text editor windows.

Step 4: Your wp-admin, unlocked

Go to your site’s WordPress Admin. Hooray, it is now unlocked!

Change or remove your site’s Auto Away settings. After you have done that, undo all the changes in your text editor and save the file to the server. That is, remove the return false; line of code that you just added. This is very important lest you want your Auto Away to never work again!

Published by Geoffrey Liu

A software engineer by trade and a classical musician at heart. Currently a software engineer at Groupon getting into iOS mobile development. Recently graduated from the University of Washington, with a degree in Computer Science and a minor in Music. Web development has been my passion for many years. I am also greatly interested in UI/UX design, teaching, cooking, biking, and collecting posters.

20 thoughts on “Locked yourself out with iThemes Security/Better WP Security Auto Away? No problem!

  1. In some cases, AwayMode might not be the problem. It could be the Hide Backend feature which redirects any attempt on the default wordpress admin url to a custom location. Or some other iThemes feature. You could try accessing your plugins direcory under wp-content and temporarily renaming the ithemes folder to anything. This will enable access to the admin panel where you can change/disable any ithemes settings

  2. Please not, as of today (2016-09-19)
    the file has moved to:

    plugins/better-wp-security/core/modules/away-mode/class-itsec-away-mode.php

    The function you’re looking for, and where to place the ‘return false’ is:

    public function run_active_check() {

    return false;
    global $itsec_logger;

    }

    Still works, thanks! 🙂

  3. I had the problem with to many wrong passwords. I didn’t have access to the database so I opened filezilla and browsed threw the iThemes plugin files. I found ‘class-itsec-lockout.php’ which handles the lockout. I emptied the contents of the function ‘execute_lock’ and placed an empty return.

    The lock was now gone, I logged in and added my current IP to the whitelist, changed the file back the way it was and my problem was solved.

    Hope I helped someone with my solution.

  4. Thank you for the quick workaround. Made a mistake by enabling this because didn’t realize my WP timezone wasn’t configured accurately.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.