It's easy to be overzealous and apply very strict security settings for the Web Application Firewall of Admin Tools. An overzealous configuration, a misbehaving third party extension or a misconfigured server can cause you to be accidentally locked out of your own site. Here we'll see how to fix that.
The failsafe way to regain access to your site's administrator backend is using an FTP application or your hosting control panel's File Manager to rename a file.
Go inside the
directory on your site. You will see a file named
main.php. Rename it to
main-disable.php. This means that Admin Tools can
no longer load its code files which implement the Web Application
Firewall features. This effectively disables the Web Application
Firewall from executing and you can access your site's back-end
After you have fixed the cause of your issue remember to rename
main-disable.php back to
main.php, otherwise your site will remain
If you have used the Optimize WAF feature in Admin Tools you will also need to do two more things.
First, edit the file admintools-waf.php in the root of your site and remove all of its contents. This disables the automatic loading of Admin Tools whenever you try to access WordPress or a .php file on your server.
Second, delete the file
wp-content/mu-plugins/admintoolswp.php This is another file
used by WordPress to load Admin Tools' Web Application Firewall
At this point the Optimize WAF feature is effectively removed. After addressing your issue and making sure everything on your site works fine please remember to run the Optimize WAF again.
Finally, it is worth noting that there is the “nuclear option„,
i.e. renaming the entire
wp-content/plugins/admintoolswp folder. This
means that WordPress can no longer load Admin Tools AT ALL (including
its administration interface). We do NOT recommend doing that and it
is never necessary. The only reason someone would like to do that is
to convince oneself that Admin Tools is unrelated to the issue they
are experiencing. Code which doesn't load does not run. Code which
does not run cannot affect your site.
There are two cases where renaming the Admin Tools main.php file will not help you. These are the two cases where Admin Tools has created a server configuration file, meaning that you are blocked by your server, not Admin Tools.
The first case is the
The other case is when you've used the .htaccess
Maker feature of Admin Tools. In this case there's a
.htaccess file in your site's root. You may want
to replace its contents with the default WordPress
.htaccess file content.
In both cases you should note that the files have names beginning with a dot. That makes them hidden. You will need to enable the display of hidden files to edit / delete those files. If you are unsure how to do that please ask your host and tell them that you need to edit/delete hidden files. Usually they will point out an option in their hosting control panel's file manager.
If you are still blocked your issue is unfortunately unrelated to Admin Tools. Do you have another security plugin on your site? If you do, check its settings. If not, check with your host. More often than not, hosts have their own server security systems which can block you out of your site. If you are unconvinced follow the the instructions under "Using FTP..." above. Doing that you prevent WordPress from loading Admin Tools' code at all. If you can reproduce your issue when WordPress cannot load Admin Tools' code you can be certain that your issue is completely unrelated to Admin Tools. Code which isn't loaded cannot run. Code which doesn't run cannot affect your site.
In most cases the easiest way to unblock yourself is simply going to, and click the big Unblock My IP button. If this doesn't work, or the button is not visible, follow the instructions below.
Do remember to end the Rescue Mode or renamed back main.php after you're done unblocking yourself!
Go toand click the button. Delete all records with your own IP address. Then, go back to Web Application Firewall and click on the button. Select the record showing your IP address and click on the button to delete the block.
Don't know what your IP address is? Just visit whatismyipaddress.com to find out!
If this problem keeps happening without you doing anything and the IP blocked is NOT the same as the one reported by whatismyipaddress.com you will have to do one more thing. Go to , , and click on the button. In the first tab set Enable IP workarounds to Yes, no matter what the automatically detected recommendation is.
If that was not the case, you have two options. The first is to troubleshoot the reason of the ban. Go to Reason and Target URL for the entries which have your IP address in the IP address field. Find the reason in the "List of blocking reasons" documentation page to find out why you're being blocked. If you are not sure what that means, please file a support ticket remembering to copy the information from the Security Exceptions Log. Kindly note that you need to have an active subscription to receive support., , , and check the
The second option at your disposal is adding your IP address to either of the IP whitelists, as follows.
The first approach is to add your IP address to the Administrator IP Whitelist. Using this option will limit access to the administrator section of your site only to the IPs listed in the whitelist. We strongly recommend you to not use it unless you and all of your back-end users have static IP addresses. In all other cases you may get blocked out of your site. Go to, , and click the button. Add your own IP address.
The second approach is to use the Safe IP List. All IPs in that list will not be automatically banned. In order to do that, go to Auto-ban Repeat Offenders area find the Never block these IPs field. This is a comma-separated list. Add the IPs you want to never be automatically blocked separated by commas on that list., , and click on the button. Inside the
If you have enabled administrator IP white-listing, you have to make sure that your IP address is included in the white-list in order to be able to access your site. Go to, , and click the button. Add your own IP address.
Don't use the Administrator IP Whitelist if your ISP assigns an IP address dynamically. This is the default unless you are paying them extra for a "static IP".
If you have enabled IP black-listing, you have to make sure that your IP address is not included in the blacklist in order to be able to access your site. Go to, , and click the button. Remove your own IP address.
If you have forgotten your Administrator Secret URL parameter go to Components, Admin Tools, Web Application Firewall, Configure WAF, click on the Basic Protection Features tab and find the Administrator secret URL parameter option. Change or remove all of the text in that box to reset or unset, respectively, this feature.