Phone: (949)-229-5932 >> Email:


WordPress Site Lockout Messages: Who, Why, and What to Do About Them

A host, At this IP address has been locked out of the WordPress site at Your Website Here due to too many bad login attempts.
The host has been locked out until Year-Month-Day Hour:Minute.

Have you recievd an email containing this message? Most people would be confused about why they received it. You haven’t logged into your blog or WordPress account for a few days, and then this odd message comes along saying that you’ve had bad login attempts.


locked-wordpressYou get this message because of a security feature that’s added to your themes and plugins. If someone tries to log in to your WordPress with a bad password too many times, it locks them out and bans their IP address from trying again for quite some time. This is significant because your IP address does not charge very often anymore. Years ago, this could be circumvented easily by someone using the Command Prompt in any Windows system and the commands ‘ipconfig -release/-renew’.

These days, a person’s IP address is pretty constant. An Internet Service Provider usually controls the IP addresses of everyone connected to each of their servers. To change it, they have to turn their connection off for several hours, or else use a ‘proxy’ server to mask it. So if someone doesn’t know your password, they will likely be locked out for quite some time.

Who tries to access your server/website?

There are several reasons to break into a website. Some people hack just because they can. Others want to add code that will lead users to ads that they get money. While most will do it just because they want to prove that they can, there have been stories about people blackmailing site owners with their own servers! We’ve never heard of it happening, Sony, for example, was hacked and they were blackmailed by the possibility of their internal data going public.

Why does the lockout matter?

The lockout stops repeated attempts to crack your password. There are several ways to learn a password for a website, server, or other computer. One of these ways, or ‘brute force’ cracking is exactly what it sounds like. The malicious user tries every possible combination of password possible and hopes to eventually find it. This can take hours, days, months, or even years with a fast, dedicated computer. A lockout prevents very many combinations from being attempted, and raises the time it takes to break your password exponentially.

An easier method is called ‘social engineering’. Many people make easy to remember passwords based on something in their life. Their name, the name of one of their pets, their cellphone number, or their mother’s maiden name. With a little research, a person who really wants to learn a password this way can likely guess it.  However, they have to guess. After too many wrong guesses, they’re locked out of the system. The lockout makes everything more time-consuming and difficult.

What should you do about these messages?

Nothing, actually!
There’s nothing bad about getting a lockout message. It tells you that someone tried to break into your WordPress site and was blocked! Unless you enjoy letting people into your website, it’s going to be good news every time. However, if you get repeated messages over and over, it also tells you that someone is trying hard to break into your website. You should heed the warning and make sure that all of your passwords are strong. A ‘strong’ password is one that meets 3 of 4 criteria. Those criteria are:

  • Lowercase Letters
  • Uppercase Letters
  • Numbers
  • Symbols

You only need 3 of those 4 things to make a strong password. However, be aware that the longer your password is, the harder it is for someone to guess or learn!

What are some other security options we can set up for your website?

  • Regular Backups: Either we can teach you how to do this, you can have us do it, or we can set up a plugin that emails you backups on a regular basis! If something goes wrong, we can just revert to an older, saved version of the site and plug up whatever hole was used to change it!
  • Updating WordPress: This should be done regularly to close up holes in security, but a lot of people tend to ignore it!
  • We offer other security updates and fixes.
    (See “WordPress Maintenance & Security: Website Security Upgrades & Packages Available to Keep Your Cal Coast Website Secure” for more information.)

These aren’t 100% necessary steps. Each one is optional. It only depends on how much you’re wanting to put into it, just like with any insurance policy. It’s our duty as your local Orange County website designer to present all available options.

If you are getting a lot of these messages, or you’re worried about hackers or pranksters getting onto your website, you may choose to filter these emails inyour own email client so that they bypass you and are automatically archived. Or we can turn off notifications for you as well.

Still need help? Contact us at or call us at 949-229-5932!