When you cannot log into WordPress, the cause is usually one of five things: a reset email that never delivers, a security plugin lockout, a moved login URL, a cookie failure, or a compromised account. Every one has a documented recovery path through the database or FTP that needs no password. We restore admin access for $49-$79, usually in about half an hour.
A WordPress login is a chain with several links, and a break in any one of them locks you out. When you submit the form at wp-login.php, WordPress checks your password against the hashed value stored in the wp_users database table, then sets authentication cookies in your browser, after first writing a small wordpress_test_cookie to prove cookies work at all. Getting locked out means one link failed: the reset email never arrives because site email is broken, a security plugin banned your IP after failed attempts, a plugin moved the login page so wp-admin returns a 404, the cookie write fails, or the credentials themselves were changed, sometimes by an attacker. The important thing to know is that every one of these has a documented recovery path through the database or FTP that does not require the password. Your site keeps running while you are locked out, but so does everything wrong with it, which is why regaining access fast matters.
Fix This Error Now →Cannot Login to WordPress can be caused by several issues. Here are the most common.
The most common dead end. WordPress sends reset links through the same email system as everything else on the site, and most unconfigured servers send mail that gets rejected or spam-filtered. The password problem is real, but the blocker is broken site email. The recovery is resetting the password at the database level instead.
Wordfence and similar plugins block an IP or account after repeated failed logins. Your own typos can trigger it, and so can a bot hammering wp-login.php with your username at the same time you are trying to get in. Lockouts expire on a timer, but the documented immediate fix is deactivating the plugin over FTP by renaming its folder.
Login-hiding plugins move wp-login.php to a custom address like /my-secret-login and make the old one return 404. It is a legitimate hardening tactic that becomes a lockout the day nobody remembers the custom URL, which is exactly what happens with inherited sites. The custom path is recoverable from the plugin's settings in the database.
The exact message is "Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress." WordPress writes a wordpress_test_cookie before authenticating, and when that write fails the login cannot proceed no matter how correct the password is. Caching plugins caching the login page and misconfigured cookie domain constants are the usual culprits.
If your password stopped working and the reset email goes to an address you do not recognize, treat it as a compromise. Attackers change the admin password and email first. WordPress invalidates all existing login cookies whenever a password changes, so being suddenly logged out everywhere is itself a signal worth taking seriously.
A botched migration, a database cleanup gone wrong, or a departing contractor can leave the site with no administrator account at all. WordPress happily runs without one. You log in successfully as a lower role and find the dashboard nearly empty, or your username simply no longer exists. A new admin can be created directly in the database.
WordPress stores its address in the siteurl and home options, and the login flow redirects through them. If they point at an old staging domain or the wrong protocol after a migration or an SSL change, logging in bounces you somewhere that cannot set a valid cookie. This overlaps with the classic login redirect loop, which has its own dedicated fix page.
A plugin or theme crash can break wp-login.php specifically: you see a white screen or critical error instead of the form. Stray whitespace or a corrupted file that produces output before WordPress sends headers will also break the cookie handshake. The debug log names the file responsible.
A lost phone, a reinstalled authenticator app, or an expired device with no saved backup codes turns two-factor security into a wall. Every reputable 2FA plugin has a documented file-level or database-level disable path for exactly this situation, and access is recoverable without weakening the site permanently.
Identify the exact failure mode first: wrong password, no reset email, lockout message, missing login page, cookie error, or a redirect loop. Each one has a different recovery path and guessing burns time
Reset the password directly in the database using the method WordPress itself documents: update the user_pass field in wp_users with an MD5 hash, which WordPress accepts and silently re-hashes to its stronger format on first login
Where SSH access exists, use WP-CLI to reset the password or list users in seconds without touching the database by hand
If a security plugin caused the lockout, deactivate it at the file level by renaming its folder inside wp-content/plugins over FTP, restore access, then re-enable and reconfigure it so it stops locking out legitimate logins
If the login page 404s, recover the custom login URL from the hiding plugin's settings in the database, or disable that plugin the same file-level way
For cookie errors, exclude wp-login.php from every cache layer, clear the caches, and correct any cookie domain constant in wp-config.php that does not match the site's actual domain
Correct the siteurl and home values in the database if the login flow redirects to a wrong domain or protocol
If no admin account remains, create a fresh administrator directly in the database and verify its capabilities load correctly
If the credentials were changed by someone else, treat it as an incident: rotate every password and secret key, audit users and recently modified files, and check for malware before considering the job done
Fix the underlying weaknesses before closing out: working SMTP email so reset links deliver, two-factor with saved backup codes, and a documented login URL
Being locked out of your own WordPress site is frustrating. Whether you forgot your password, the login page is broken, or something else is wrong, here is how to get back in.
Click "Lost your password?" on the login page. Enter your email. Check inbox AND spam for the reset link. If you do not receive it, WordPress email might be broken.
Log into cPanel, open phpMyAdmin, select your WordPress database, open wp_users table, find your user, click Edit, and change user_pass to a new password using MD5 encryption.
If wp-admin redirects endlessly or to the wrong URL, your WordPress Address might be wrong. Fix via phpMyAdmin in wp_options table: siteurl and home values.
Security plugins can lock you out. Via FTP, rename /wp-content/plugins/wordfence (or your security plugin folder) to wordfence_disabled. Try logging in again.
Security plugins block IPs after failed attempts. Wait 15-30 minutes, or rename the security plugin via FTP, or whitelist your IP in the plugin settings.
Via FTP, edit your active theme's functions.php and add wp_set_password('YourNewPassword', 1); right after the opening php tag. The 1 is the user ID of the first admin account. Log in, then remove the line immediately. It resets the password on every page load while it is present.
If nothing works and you have a recent backup, restore it. Make sure to save any content changes made since the backup first.
DIY is great, but sometimes you need expert help. Consider calling us if:
You cannot access cPanel, FTP, or phpMyAdmin
The login issue started after a hack (do not just fix login, address the hack)
You do not have database access
Fixing one thing breaks another
You are not comfortable editing database values or PHP files
Fixed in 2 hours or your money back. We do not waste time.
No hourly billing. You know the price before we start.
Cannot fix it? You do not pay. Zero risk to you.
WordPress sends reset emails through the site's own mail system, and on most hosts that means unauthenticated messages that mail providers silently reject or spam-filter. Check spam first, but if nothing arrives, the site's email is broken and no amount of clicking Lost your password will help. The fix is a database-level password reset, and afterwards the site email itself should be fixed with proper SMTP so this dead end disappears.
Most lockouts expire after a set time, so waiting 15 to 60 minutes sometimes resolves it. The immediate fix is deactivating the plugin without logging in: connect over FTP or your host's file manager, open wp-content/plugins, and rename the plugin's folder, for example wordfence to wordfence_disabled. WordPress deactivates a plugin whose folder is missing. Log in, then reinstate and reconfigure the plugin so its brute-force rules stop catching you.
A login-hiding plugin almost certainly moved it. These plugins register a custom login address and deliberately 404 the standard wp-login.php and wp-admin paths for anyone who does not know it. The custom path is stored in the plugin's settings in the wp_options database table, so it can be recovered through phpMyAdmin, or the plugin can be disabled by renaming its folder over FTP, which restores the standard login address immediately.
Before authenticating you, WordPress writes a small test cookie called wordpress_test_cookie to confirm your browser accepts cookies. When that write fails, login stops with this message. A genuinely cookie-blocking browser is the rare cause. More often a caching plugin has cached the login page so the cookie never gets set, or a cookie domain constant in wp-config.php points at the wrong domain. Clearing cookies and the site cache is the documented first step.
That is the WordPress login redirect loop, and it is a different animal from a rejected password: your credentials are fine, but the authentication cookie is not surviving the redirect. Mismatched siteurl and home values, an HTTPS migration, or a caching layer are the usual causes. We cover the loop mechanism and its fixes in depth on our login redirect loop page, and we fix it the same day.
Possibly, and it deserves immediate attention. Attackers who gain admin access typically change the password and the admin email address first, which simultaneously locks you out and breaks the reset path. One useful signal: WordPress invalidates every logged-in session when a password changes, so if you were abruptly logged out on all devices before the lockout, someone changed it. We restore access first, then audit users, files, and the database for compromise before calling it fixed.
Yes. WordPress documents several recovery paths that do not require the current password: updating the user_pass field in the wp_users table with an MD5 hash that WordPress upgrades on login, a WP-CLI password reset over SSH, and a temporary wp_set_password line in the theme's functions.php. None of these touch your content, settings, plugins, or media. They change one field on one user row, and everything else on the site stays exactly as it was.
Most login fixes cost $49-$79. Database password resets, security plugin lockouts, and recovered login URLs sit at the low end. Cases involving a compromised account cost more, typically $99-$149, because restoring access is only the first step: the malware cleanup and security hardening that follow are the real work. You get a firm quote before we start, and if we cannot restore access, you pay nothing.
Our average login fix takes about 34 minutes. Database password resets and plugin-folder renames restore access in the first 10 to 15 minutes once we have FTP or hosting panel credentials. The remaining time goes into fixing the cause, whether that is broken reset email, an overzealous security rule, or wrong site URL values, so the lockout does not repeat next month.
Four habits eliminate nearly all repeat lockouts: use a password manager so the password is never mistyped or forgotten, set up two-factor authentication and store its backup codes somewhere safe, fix site email with authenticated SMTP so reset links actually deliver, and write the custom login URL down wherever your team keeps credentials. If you run a security plugin, allowlist your own static IP so its brute-force protection never targets you.
Every technical claim on this page traces back to primary documentation and the named vendor references below.
Plugin, theme, critical error, PHP, and update fixes in one place.
Visit the WordPress Repair hub →Get cannot login to wordpress fixed today. Expert engineers. 2-hour guarantee.
Fix My Error Now →