I’m locked out of my WordPress site

Summary: if you cannot log in due to Clef 2FA's password disabling, restore password-based access by deleting the /wp-content/plugins/wpclef/ folder via SFTP, SSH, WP-CLI, or your control panel's file manager.

To be locked out by the Clef for WP plugin* means that you cannot log in because

  1. you are running the Clef WP plugin in with passwords disabled for your admin user,
  2. you did not set an override URL,
  3. and for one reason or another you cannot log in with your Clef mobile app.

If all three are true in your case, then follow these steps to regain access to your WordPress Dashboard:


Verify that you are truly locked out by loading your login page and looking for the “log in with a password” option at the bottom of the Clef Wave.

If you see this option, and if you have not disabled passwords for Clef accounts or for your WordPress role, then you are not locked out; click on this link to log in with your password.

If you see this option but you have disabled passwords for your WordPress role, then, when you try to log in with your password, you will receive a notification that “Passwords have been disabled for this user.” In this case, proceed to step two.


Delete the Clef plugin.

Using either your web hosting control panel, FTP, or SSH access, delete the /wp-content/plugins/wpclef folder. Ordinary password-based access to your WordPress Dashboard will be restored immediately once this folder is deleted.

If you do not have access to your web server's files via one of these means, then please contact your web hosting provider’s support team, and request that they delete this folder.


Re-install Clef and configure Clef’s password settings. If you disable passwords, then setting a secure override URL is recommended.

*Non-Clef lockouts such as Limit Login Attempts' IP-based lockouts

Please note that you might be locked out due to another cause besides the Clef 2FA plugin. For example, if you are seeing an error message that says something like: 

ERROR: Incorrect user name or password.
3 Attempts remaining.

Then it is highly likely that either you or your web hosting provider is running a version of the Limit Login Attempts plugin. According to the LLA FAQ, the options for recovering from a LLA IP-based lockout are as follows:

Either wait [the default wait time is normally 20 min., though this might have been adjusted by your hosting provider], or:
1. If you know how to edit / add to PHP files you can use the IP whitelist functionality described above. You should then use the "Restore Lockouts" button on the plugin settings page and remove the whitelist function again.
2. If you have ftp / ssh access to the site rename the file "wp-content/plugins/limit-login-attempts/limit-login-attempts.php" to deactivate the plugin.
3. If you have access to the database (for example through phpMyAdmin) you can clear the limit_login_lockouts option in the wordpress options table. In a default setup this would work: "UPDATE wp_options SET option_value = '' WHERE option_name = 'limit_login_lockouts'"