attributes WP

Get Started

Emergency Admin Access Recovery

Version: 1.2.1 ProLast Updated: December 2025Difficulty: AdvancedTime Required: 15 minutes

Overview

When security features lock you out of your own site, quick recovery is critical. This guide provides emergency access methods when 2FA, IP blocking, or other security features prevent admin login.

Emergency Access Methods

Method 1: Disable via wp-config.php

Fastest recovery – Add to wp-config.php:


// Add BEFORE "That's all, stop editing!" line

// Disable ALL Attributes security features temporarily
define('ATTRUA_EMERGENCY_DISABLE', true);

// Or disable specific features:
define('ATTRUA_DISABLE_2FA', true);
define('ATTRUA_DISABLE_IP_BLOCKING', true);
define('ATTRUA_DISABLE_PASSWORD_POLICIES', true);

Access wp-config.php via:

  • FTP (FileZilla, WinSCP)
  • cPanel File Manager
  • SSH/command line

After regaining access:

  • Fix the security configuration
  • Remove emergency disable lines
  • Test access still works
  • Re-enable security features properly
Security Risk: These constants disable security for entire site. Remove immediately after recovery.

Method 2: Rename Plugin Folder

Via FTP or File Manager:

  • Connect to server via FTP
  • Navigate to: /wp-content/plugins/
  • Find folder: attributes-user-access-pro/
  • Rename to: attributes-user-access-pro-disabled/
  • WordPress will deactivate plugin automatically
  • Log in via wp-admin
  • Rename folder back to original name
  • Reactivate plugin
  • Fix configuration

Pros:

  • Completely disables plugin
  • No code changes needed
  • Instant access

Cons:

  • Temporarily removes all plugin functionality
  • Settings preserved but features disabled
  • Requires FTP access

Method 3: Database Disable

Via phpMyAdmin or MySQL command line:

Disable 2FA:


-- Disable 2FA for all users
DELETE FROM wp_usermeta WHERE meta_key LIKE 'attrua_2fa%';

-- Or just for specific user (ID 1 = usually first admin)
DELETE FROM wp_usermeta 
WHERE user_id = 1 
AND meta_key LIKE 'attrua_2fa%';

Disable IP Blocking:


-- Turn off IP blocking
UPDATE wp_options 
SET option_value = '0' 
WHERE option_name = 'attrua_ip_blocking_enabled';

-- Clear IP whitelist/blacklist
TRUNCATE TABLE wp_attrua_ip_whitelist;
TRUNCATE TABLE wp_attrua_ip_blacklist;

Disable Password Expiration:


-- Remove password expiration for all users
DELETE FROM wp_usermeta WHERE meta_key = 'attrua_password_expires';

Method 4: Create Emergency Admin

When primary admin locked out:


-- Create new admin user via database

-- Insert new user
INSERT INTO wp_users (
    user_login, 
    user_pass, 
    user_email, 
    user_registered
) VALUES (
    'emergency_admin',
    MD5('TempPass123!'),  -- Change immediately after login!
    'emergency@yoursite.com',
    NOW()
);

-- Get new user ID (use highest number from query)
SELECT ID, user_login FROM wp_users ORDER BY ID DESC LIMIT 5;

-- Grant administrator role (replace 999 with actual ID)
INSERT INTO wp_usermeta (user_id, meta_key, meta_value) 
VALUES (999, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');

INSERT INTO wp_usermeta (user_id, meta_key, meta_value) 
VALUES (999, 'wp_user_level', '10');

Login details:

Username: emergency_admin

Password: TempPass123! (change immediately!)

After login:

  • Go to Users → All Users
  • Fix original admin account
  • Delete emergency_admin account
  • Or change emergency_admin password to secure one for future emergencies

Method 5: WP-CLI Recovery

If you have SSH/command-line access:



Navigate to WordPress root directory

cd /path/to/wordpress


Disable 2FA for user

wp user meta delete admin_username attrua_2fa_enabled


Reset password

wp user update admin_username --user_pass="NewSecurePassword123!"


Create new admin user

wp user create recovery recovery@yoursite.com --role=administrator --user_pass="TempPass123!"


Deactivate plugin temporarily

wp plugin deactivate attributes-user-access-pro


Reactivate after fixing

wp plugin activate attributes-user-access-pro

Preventing Future Lockouts

1. Maintain Emergency Access

Keep emergency admin account:

Create backup admin account:

Username: backup_admin_[random]

Role: Administrator

2FA: Disabled

IP Whitelist: Exempt

Store credentials securely:

  • Password manager
  • Encrypted document
  • Secure company vault

2. Whitelist Your IPs

Before enabling IP security:

Add these to whitelist FIRST:

  • Your office IP
  • Your home IP
  • Your VPN exit IP
  • Backup access location IP
  • Server/hosting IP (for cron jobs)

Test access after each addition

3. Configure 2FA Properly

Safety measures:

✓ Enable 2FA for admins gradually

✓ Test with secondary admin account first

✓ Generate recovery codes for each admin

✓ Keep one admin without 2FA initially

✓ Ensure email delivery working before enabling

4. Document Access Procedures

Create runbook:

Emergency Access Runbook

FTP Access:

Host: ftp.yoursite.com

Username: [encrypted]

Password: [in vault]

phpMyAdmin:

URL: https://yoursite.com/phpmyadmin

Username: [encrypted]

Password: [in vault]

Emergency Contacts:

Hosting Support: [phone]

Backup Admin: [email/phone]

5. Regular Backups

Backup before security changes:

Before enabling:

  • 2FA
  • IP blocking
  • Password policies
  • Force login

Take full backup:

  • Database backup
  • wp-content folder
  • wp-config.php

Store securely offsite

Recovery Testing

Test Emergency Procedures

Quarterly drill:

  • Simulate lockout (use test site/staging)
  • Practice each recovery method
  • Time how long each takes
  • Update documentation
  • Ensure backups accessible
  • Verify FTP credentials still work

Staging Environment

Always test on staging first:

  • Clone production to staging
  • Enable security features on staging
  • Test all access scenarios
  • Verify recovery procedures work
  • Document any issues
  • Then deploy to production

Common Lockout Scenarios

Scenario 1: IP Change

Problem: Office IP changed, now whitelisted IP invalid

Recovery: Method 1 (wp-config.php disable) or Method 2 (FTP rename)

Prevention: Whitelist IP range (/24) instead of single IP

Scenario 2: 2FA Email Issues

Problem: Email server down, can’t receive 2FA codes

Recovery: Method 3 (database disable 2FA)

Prevention: Configure SMTP, test regularly, keep recovery codes

Scenario 3: Password Expired

Problem: Password expired, can’t reset due to email issues

Recovery: Method 3 (database remove expiration)

Prevention: Longer expiration period for admins, SMTP configured

Scenario 4: Multiple Security Features

Problem: Locked by 2FA + IP blocking + expired password

Recovery: Method 1 (wp-config.php – disables all)

Prevention: Enable one security feature at a time, test thoroughly

When to Contact Support

Seek professional help if:

    • No FTP/database access available
    • Hosting provider locked the account
    • Unknown plugin conflict causing issues
    • Database corrupted or inaccessible
    • Site shows white screen (fatal error)
    • Multiple recovery attempts failed

Contact: support@attributesframework.com

Provide: WordPress version, PHP version, error messages, steps already tried

Best Practices

Test Before Production

Always test security features on staging site first.

Keep Alternative Access

Maintain one admin account without advanced security enabled.

Document Everything

Keep emergency procedures documented and accessible offline.

Backup Before Changes

Full backup before enabling any security features.

Layer Security Gradually

Enable features one at a time. Test each thoroughly.