Wordfence users

I have wordfence settings configured to “lock out after 5 login failures” and “lock out after 3 forgot passwords attempts” but does this mean if someone else tries to login using my username (which is my email) and fails to login 5 times, or does 3 reset password attempts, that they would block me as a user? Does that mean someone else could block me out of my own site due to my configured settings or am I missing something?

  1. Not necessarily. The IP address and location factor in as well if I understand that correctly. But more importantly why would your email address be associated with that website and how did someone find out? And there is always a way to unblock it to (but you need access to the files and or WordPress central). But if someone knows better … you know the drill.

    Also reach out to WF?

    Edit: i mean the visitors ip address. Not the sites. I should also mention you can whitelist your Home/Office ip Address. If your home connection changes frequently (in many locations they do not) this might not be that useful.

  2. It means they (the machine they are attempting to access your site from) are “locked out” of your site. It doesn’t affect your account.

  3. They will be locked out, but this lockout is IP-based, not username-based.

    This means that the lockout will be applied to the IP address of the attacker, not to your username or account. So, even if someone else tries to log in with your username and fails, or attempts to reset your password, they will be locked out based on their IP address, and you will still be able to access your site from your own IP address.

  4. It’s IP based, yada yada, already answered…but just wanted to add that you should also enforce strong usernames, and do an immediate block on non-existing users. They’ll hit “admin”, “webmaster”, and other common names. No reason to let them try 5 times, just block that shit on the first attempt. If you get yourself locked out, as we all do if we log into enough sites often enough to make a typo, switch off your wifi and connect via cell data to rotate IP (or use vpn) and log in more carefully and clear the block for your own IP.

    Secondly, the block time doesn’t need to be long. 99% of these are automated and will move on once blocked. 60 minutes is more than sufficient in most cases. Worst case scenario if you accidentally block yourself, wait an hour.


This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer