You enabled Brute Force Protection in Trusti Security, and now you are looking at a block screen instead of your own WordPress dashboard. It happens. The same mechanism that stops attackers from hammering your login page can catch you too, especially if you mistype your password a few times, enter the wrong username, or run a security scan from your own IP address.
This guide walks you through exactly how to get back in. No panic needed. The block is temporary, and there are reliable ways to lift it.
Why You Might Be Locked Out
Too many failed password attempts. If you enter the wrong password more times than the configured limit (default is 5), your IP gets blocked for the configured duration (default is 30 minutes).
Wrong username. If the “Block unknown usernames” option is enabled in the Brute Force Protection settings, a single login attempt with a username that does not exist in WordPress will block your IP immediately, without waiting for multiple attempts. This is a common surprise for site owners who forget their login username.
Security scanner running from your IP. If you run WPScan or any other security tool against your site from your own computer or office network, those tools send many requests to wp-login.php and other endpoints. To Trusti Security, that looks like a brute force attack, and your IP gets blocked. Before running a security scan on your own site, either whitelist your IP first or temporarily disable Brute Force Protection for the duration of the scan.
Before You Do Anything: Check If the Block Will Expire on Its Own
Trusti Security blocks are temporary. The default block duration is 30 minutes. If you are not in a hurry and you know you only triggered the limit by accident, you can simply wait for the block to expire and then log in normally.
If waiting is not an option, continue below.
Recovery Option 1: Emergency Access URL (Recommended, Premium Only)
If you are on the Trusti Security premium plan and you set up the Emergency Access module before getting locked out, this is the fastest and easiest way back in. No file access, no FTP, no hosting panel required. One URL and you are done.
Step 1: Visit the emergency access URL
Open a browser on the same connection that is blocked. Visit your site with your emergency string as a URL parameter:
https://yoursite.com/?emergency=your-secret-stringYou can use any page on the site, not just the homepage:
https://yoursite.com/any-page/?emergency=your-secret-stringTrusti Security will detect the parameter, verify the string, and remove the block for your IP on the spot.
Step 2: Log in normally
Go to your login page and log in. That is it.
Did not set this up yet?
This method only works if Emergency Access was enabled and a secret string was configured before the lockout occurred. If you have not set it up yet, use the wp-config.php method below to get back in now, then come back and configure Emergency Access so you have this option available next time.
To set it up: in WordPress admin go to Trusti Security > Emergency Access, enable the module, enter a secret string you will remember, and save. Write that string down somewhere outside of WordPress (password manager, phone note) so you can reach it even when locked out.
Recovery Option 2: The wp-config.php Method (Free and Premium)
This method works for all users on any plan, but it requires FTP, SFTP, or cPanel File Manager access to your hosting account.
Step 1: Find your current IP address
Open a new tab and go to whatismyipaddress.com or simply search “what is my ip” on Google. Write down the IP address shown.
Step 2: Open wp-config.php
Connect to your site via FTP or open File Manager in cPanel. Navigate to the root of your WordPress installation (the same folder that contains wp-admin and wp-content). Open the file named wp-config.php in a text editor.
Step 3: Add the emergency constant
Find the line that reads:
/* That's all, stop editing! Happy publishing. */Add the following line immediately above it, replacing 1.2.3.4 with your actual IP address from Step 1:
define( 'TRUSTI_EMERGENCY', '1.2.3.4' );Save the file.
Step 4: Visit your site
Open your browser and visit your site homepage or any page. Trusti Security will detect the constant, match your IP, and remove the block automatically.
Step 5: Log in normally
Go to your WordPress login page and log in with your usual credentials.
Step 6: Remove the constant immediately
Go back to wp-config.php and delete the line you added. Do not leave it in the file. If you leave the constant in place, it will keep unblocking that IP on every page load. Remove it as soon as you are back inside your admin dashboard.
What about the empty string variant?
You can also set the constant with an empty string:
define( 'TRUSTI_EMERGENCY', '' );This works on both free and premium plans. The difference is that an empty string unblocks any IP address that visits your site, not just yours. Use the specific IP version whenever you can, and either way, delete the constant from wp-config.php immediately after you are back in, especially if you used the empty string version.
If You Are Running Security Scans on Your Own Site
External security scanning tools send many automated requests to login endpoints. To Trusti Security, this is indistinguishable from a real brute force attack, and your IP can get blocked mid-scan.
Before running any external security scan from your own machine or network, do one of the following: add your IP address to the allowlist in Trusti Security under IP Block List settings, or temporarily disable Brute Force Protection while the scan runs and re-enable it when done.
Summary
Premium, Emergency Access URL (recommended): Visit yoursite.com/?emergency=your-secret-string from the blocked connection and log in. Requires setup in advance.
Free or premium, wp-config method: Add define( 'TRUSTI_EMERGENCY', '1.2.3.4' ); above the stop-editing comment, visit your site, log in, then delete the line immediately.
No rush: The default block duration is 30 minutes. Sometimes waiting is the simplest answer.