If you see the message “Your IP has been flagged for potential security violations” after entering wrong credentials or 2FA codes, WP Ghost’s brute force protection has temporarily blocked your IP address. By default, 5 failed attempts triggers a lockout. Here are three ways to regain access.
Wait for the ban to expire
The default ban duration is 15 minutes. After the ban expires, you can try logging in again. Use the correct credentials carefully to avoid triggering another lockout. To prevent future lockouts, whitelist your IP at WP Ghost > Brute Force > Whitelist after you regain access.
Use the Safe URL from WP Ghost Dashboard
Log in to your WP Ghost Dashboard (cloud account) and find your connected website. Click the Safe URL link. This temporarily deactivates WP Ghost so you can access the default WordPress login page without brute force restrictions. WP Ghost reactivates automatically after you log in to the WordPress dashboard.
Disable WP Ghost via FTP or File Manager
If you don’t have access to the WP Ghost Dashboard, deactivate the plugin through your hosting file manager or FTP. Navigate to /wp-content/plugins/ and rename the hide-my-wp folder to hide-my-wp1. This deactivates the plugin and removes the brute force lockout. Log in to WordPress with your credentials, then rename the folder back to hide-my-wp to reactivate the plugin.
After regaining access, go to WP Ghost > Brute Force and clear your blocked IP from the list. To prevent future lockouts, add your IP to the whitelist. For the full emergency recovery guide, see Disable WP Ghost in Case of Error.