Hello, the first thing you should do is to make sure your web site can send messages. There’s a plugin to test it with.
What are you seeing when using the rescue links?
Did you check the spam folder? It is likely that the email with the code is there (if your server is working properly).
Can you try logging in using a username instead of email?
If you’ve been logging in with your email before, make sure to update the plugin as we implemented some changes for that in the new version of the plugin.
If that doesn’t work, see if you can rename the plugin’s directory through FTP (add old_ in the beginning). Then log in normally, rename the plugin back and try to update.
Thread Starter
drc3p0
(@drc3p0)
rescue links resulted in a page that said “an error occured” and nothing else. emails never came in when logging in with the username or email, and I checked everywhere in my inbox. I changed the plugin through FTP to disable it.
I had this same thing happen to me. I don’t receive the email for 2FA and my rescue links also result in an error. When I click them, I just get a page with a text box that says “an error has occurred”. I tried multiple browsers.
My emails work because the plugin is able to email me when someone triggers a lockout and every other plugin that needs to is able to send out emails.
There is definitely some kind of problem with this feature.
I fully agree with merlinx. I do know what I am doing with the website, the fault lies with the plugin. Too bad, it worked beautifully for years before this fiasco.
I had posted the details 3 days ago, but the “moderator” sent me a notice that I must start a new topic -*bizarre*- (it’s not a new topic and the developer hasn’t fixed it yet).
On top of that my message is completely deleted, and I didn’t save a copy. So, my only recourse is to delete this plugin, since there seems to be no way to deactivate 2FA.
A nasty review is my next course of action, which is a shame, since I’m not even sure the developer is seeing these comments.
Hi everyone,
First, I want to sincerely apologize for this. We know how serious it is to be locked out of your own site, and that’s not an acceptable experience.
We recently rolled out 2FA across Limit Login Attempts Reloaded to a very large user base. While it’s working well for most users, situations like this are exactly the kind of edge cases we’re actively identifying and fixing. With millions of sites using the plugin across all kinds of hosting environments, there are unfortunately scenarios that didn’t show up until broader usage.
That said, we take full responsibility here. You should never be in a position where recovery options fail.
What we’re seeing so far
Our dev team is currently investigating an issue where recovery links may fail (including 403 errors) on certain hosting environments. One leading suspicion is that on very low-resource or highly restricted hosting accounts, the decryption process used in the recovery links may not complete properly. This could explain why:
- Backup/recovery links return errors
- 2FA emails work in some cases but not consistently for login
- Everything else on the site appears normal
We’re working on adding safeguards to detect and prevent this scenario entirely.
For now, here’s how to regain access immediately:
- Access your site via FTP/sFTP or your hosting file manager
- Go to /wp-content/plugins/
- Rename the limit-login-attempts-reloaded folder (for example: limit-login-attempts-reloaded-disabled)
This will disable the plugin and allow you to log back in right away.
What we’re doing next
- Adding detection for low-resource environments where this could occur
- Improving fallback behavior so recovery never fails silently
- Making it easier to disable 2FA without risking lockout
- Continuing to monitor and respond to reports like yours closely
If you’re open to it, it would really help our investigation if you could share what hosting provider and plan you’re using. That will help us confirm whether this is tied to resource limits or something else.
Again, we’re very sorry for the disruption here. We appreciate you flagging it, and we’re treating this with high priority.
My host is Siteground and I have the GrowBig plan.
Even larger shared hosting plans limit their processes to make sure other users on the same server don’t get impacted. We are working on expanding the log, so that we could catch such cases better. We plan on releasing this in the upcoming version of the plugin.
