I had the same problem as the OP, and even reverting to the old version didn’t solve the problem, I was still getting a 403 Forbidden message everytime I logged in.
So I started poking around with things, and it seems like something in the .htaccess file was added in this update is causing the 403 error. I removed all of the iThemes Security stuff from my .htaccess file, and then I was able to get version 4.1.5 working again. (which then added stuff to the .htaccess file, but nothing that broke the site)
Hopefully this helps the developers pinpoint the issue..
On a side note, my logs don’t seem to work now, but I’m hoping that’s just a byproduct of upgrading to the new version and then downgrading again.
The only change in 4.2 to htaccess was the addition of the WPScan agent in the blocked hosts. Would love to see what is causing this for you. Please submit a bug report at http://ithemes.com/security/bugs/ and we’ll work with you to solve it.
If you look at this thread:
http://wordpress.org/support/topic/after-update-to-422-locked-out-of-my-website?replies=1#post-5554075
The OP has an interesting theory as to why this might be happening. If that is in fact the case, anyone with the default username of admin is seriously screwed. (Mine isn’t, but based on the logs, these bad guys have figured out my username as well and just keep trying to crack my PW with brute force)
