The iThemes Security plugin includes a WordPress brute force protection feature to protect your site against attackers who try to randomly guess login credentials to your WordPress website. With this feature, however, legitimate usernames may be locked out during a brute force attack after a certain threshold of bad login attempts has been met.
To combat username lockouts for legitimate users, the latest version of iThemes Security Pro introduces a new Magic Links feature to provide an alternative login method for locked out users.
Introducing Magic Links to Bypass iThemes Security Username Lockouts pro
The new Magic Links feature allows you to log in to your WordPress site while your username is locked out by the iThemes Security Local Brute Force Protection feature.
When your username is locked out, you can request an email with a special login link. Using the emailed link will bypass the username lockout for you while brute force attackers are still locked out.
Automatic Activation of Magic Links
Once you’ve updated to (or installed) iThemes Security Pro 4.5, Magic Links will be automatically enabled.
You’ll find the new Magic Links Pro module on the iThemes Security > Settings page in your WordPress dashboard.
Click the “Configure Settings” button. The next screen provides an explanation of the feature.
Requesting Magic Link from the WordPress Login Screen
If your username has been locked out during a brute force attack detected by iThemes Security, you’ll see this message on the WordPress login screen.
Simply click the “Send authorized login link” link to receive your Magic Links email.
From your inbox, you’ll find an email sent by iThemes Security that contains your login link.
Are Magic Links Secure?
Yes. iThemes Security delivers the Magic Link email to the email address associated with the username, so an attacker would also need access to the email account of the user. Once the Magic Link is clicked, a username and password must still be entered successfully to login to your WordPress website. Plus, if you have two-factor authentication enabled (which we highly recommend), Magic Links require this secondary code to successfully login.