Emergency Lockdown: Enable, Use, and Recover Yourself
Emergency Lockdown is GuardPress’s site-wide login kill switch — when enabled, every new sign-in across the site is rejected until you flip the toggle off. Existing sessions keep working, so you don’t get logged out of the admin you’re currently in. This is the runbook for when to use it, what happens while it’s active, how to disable it the normal way, and how to recover via wp-config.php if your session has expired and you can’t sign back in.
What Emergency Lockdown Does
Emergency Lockdown hooks the WordPress authenticate filter at priority 100 — after WordPress core’s username/password handler (priority 20) and core’s cookie authentication (priority 30). Because GuardPress runs late in the filter chain, its denial is the final value wp_authenticate() returns and cannot be silently overwritten by another plugin. The result:
- Every new sign-in is rejected, regardless of credential correctness, regardless of surface. This includes
wp-login.php, WooCommerce/my-account/, MemberPress, BuddyPress, theme login forms, REST API basic auth, Application Passwords, XML-RPC, and any custom AJAX login handler. - Existing sessions are not touched. Anyone currently logged in stays logged in and can continue working until their session naturally expires. This is intentional — it means the admin who flipped the switch doesn’t accidentally lock themselves out the moment they enable it.
- An admin notice appears on every wp-admin screen for users with
manage_options, reading: “GuardPress Emergency Lockdown is ACTIVE. All new logins are being rejected site-wide. Existing sessions are unaffected. Disable in settings.” This is non-dismissible so it can’t accidentally get left on. - Two CRITICAL severity entries are written to the audit log — one on enable (action:
emergency_lockdown_enabled), one on disable (action:emergency_lockdown_disabled). The timeline is forensically reconstructable from the audit log post-incident.
Users attempting to sign in see this error inside their login form:
Site temporarily locked down. Sign-ins are disabled
by an administrator. Please try again later.The internal WP_Error code is gp_emergency_lockdown — useful if you’re writing custom error handlers that need to distinguish lockdown rejections from credential failures.
When to Use It
Emergency Lockdown is a deliberately heavy hammer. Reach for it when you need to freeze the front door right now and brute-force lockout / IP blocking aren’t enough on their own.
Good reasons to enable it
- Active credential-stuffing or brute-force attack that’s overwhelming brute-force lockout — attackers rotating through many IPs faster than your block thresholds can keep up
- You suspect an admin password is in a breach corpus and you need to freeze sign-ins while you rotate every admin credential and force-logout all sessions
- You’re actively investigating a suspected compromise and want to prevent new sessions from being created while you triage the file integrity scan, audit log, and database
- Pre-announced maintenance window where you need guaranteed quiet on the auth surface (e.g. rotating session salts in
wp-config.php, migrating to a new auth plugin)
Bad reasons (use a lighter tool instead)
- Routine maintenance — just use WP’s built-in maintenance mode or a coming-soon plugin. Lockdown blocks sign-ins; it doesn’t put up a maintenance page for visitors.
- One specific user attacking you — use IP blocking under GuardPress → IP Management instead. No need to lock out every other legitimate user.
- You forgot to set up 2FA — turn on 2FA. Don’t lock out the entire site as a substitute.
How to Enable Emergency Lockdown
Open Login Protection settings
Go to GuardPress → Settings → Login Protection.
Toggle Emergency Lockdown ON
Save the setting. The change is immediate — the very next sign-in attempt on any surface will be rejected.
Verify the admin notice appears
Refresh any wp-admin page. You should see a red dismissible-looking (but persistent) admin notice across the top reading “GuardPress Emergency Lockdown is ACTIVE. All new logins are being rejected site-wide.” The WordPress Dashboard widget will also show a red “Emergency Lockdown ACTIVE” banner.
Confirm the audit log entry
Open GuardPress → Audit Log and filter for the most recent entries. You should see an emergency_lockdown_enabled entry at CRITICAL severity with the timestamp of the toggle.
If multiple people manage the site, send a quick message to your team first. Anyone whose session has expired will get the lockdown error and won’t know why. Existing sessions are fine, but admins who haven’t been signed in recently can’t help with the incident if they can’t sign in.
How to Disable Emergency Lockdown (Normal Case)
The normal way out is the same as the way in — flip the toggle off:
Sign in to wp-admin from an existing session
Any logged-in session works. If you’ve been working in wp-admin since you enabled Lockdown, your session is still active.
Navigate to GuardPress → Settings → Login Protection
Or click the “Disable in settings” link in the red admin notice at the top of any wp-admin page.
Toggle Emergency Lockdown OFF and save
Sign-ins re-enable immediately. The red admin notice disappears on the next page load. A second CRITICAL audit log entry (emergency_lockdown_disabled) is written for the timeline.
That’s it. The whole disable flow takes about 30 seconds if you have a working admin session. The next section is for when you don’t.
Locked Yourself Out? Use the wp-config Bypass
If Lockdown is ON and you don’t have a working admin session anymore (yours expired before you disabled it, the browser cleared cookies, you tried from a different device), you need to bypass the lockdown check from outside WordPress. GuardPress ships a wp-config constant for this exact scenario.
You need to edit wp-config.php in the WordPress root directory. If you only have wp-admin access and that’s blocked, you need to call your hosting provider or use their control panel’s file manager. There’s no in-browser bypass — that would be a permanent backdoor an attacker could exploit.
Connect via FTP, SSH, or your host’s file manager
Navigate to the WordPress root directory (the one containing wp-login.php, wp-config.php, and the wp-content/ folder).
Open wp-config.php for editing
Find the line that reads /* That’s all, stop editing! Happy publishing. */ — this is the canonical insertion point for custom constants in WordPress.
Add the bypass constant ABOVE that line
Paste this exactly:
define( 'GUARDPRESS_EMERGENCY_BYPASS', true );Save the file.
Sign in to wp-admin
Go to https://yourdomain.com/wp-login.php (or your custom login URL if you have one set) and sign in with your normal admin credentials. Lockdown is being bypassed for your authentication only — everyone else is still locked out.
Disable Lockdown in the admin
Once signed in, go to GuardPress → Settings → Login Protection and toggle Emergency Lockdown OFF. Save.
Remove the bypass constant from wp-config.php
Go back to FTP / SSH / file manager and delete the define( 'GUARDPRESS_EMERGENCY_BYPASS', true ); line you added. Save. Leaving it in is harmless when Lockdown is off (it’s a no-op), but removing it is good hygiene — you don’t want a future you to look at that line and wonder why it’s there.
An IP-based bypass would be easy to configure and easy to misconfigure into a permanent backdoor (an attacker just spoofs the IP). Requiring file-level access to wp-config.php means the bypass cannot be used remotely without compromising the server itself — which is a much higher bar than compromising an admin credential. The bypass is intentionally inconvenient as a security property, not an oversight.
Multi-Admin Considerations
If your site has more than one administrator:
- Co-admins with active sessions can continue working uninterrupted. They’ll see the same red admin notice everywhere, so they know the site is in lockdown mode.
- Co-admins whose sessions have expired will get the lockdown error when they try to sign in. They’ll need to either wait for you to disable Lockdown, or you give them the bypass procedure above.
- Newly-created admin accounts can’t sign in until Lockdown is disabled. Don’t create new admin accounts during a lockdown unless you also have a plan to let them in.
- The bypass constant works for everyone — it’s not user-scoped. If you add it to bypass yourself, every other admin can also sign in while the constant is set. Disable Lockdown and remove the constant promptly so co-admins don’t accidentally use the bypass window for routine sign-ins.
Common Mistakes
Leaving Lockdown on after the incident
The persistent admin notice is loud and non-dismissible specifically to prevent this. But if you only ever check wp-admin from a long-lived session, the notice can blend into the chrome. Set a calendar reminder: “Emergency Lockdown enabled at HH:MM — disable by HH:MM+X.” The audit log’s CRITICAL severity entry on enable makes it easy to find the original timestamp later.
Adding the bypass to wp-config and never removing it
The bypass constant is harmless when Lockdown is off, but it means Lockdown is effectively neutered for your site — if a real attack happens later and someone enables Lockdown, the leftover constant will let attackers right through. Always remove the bypass after recovering.
Using Lockdown when IP blocking would suffice
If one IP (or a small set of IPs) is the source of an attack, IP blocking under GuardPress → IP Management is far less disruptive. Lockdown is for distributed attacks or compromise-investigation scenarios where individual-IP precision isn’t enough.
Forgetting to tell co-admins before enabling
The biggest source of “wait, why can’t I sign in?” messages. Send a heads-up to anyone who might need access during the lockdown window.
Still Stuck? Email Priority Support
If the bypass constant isn’t letting you sign in even after editing wp-config.php — or you need help triaging an active incident that prompted the lockdown in the first place:
Email support@royalplugins.com with the diagnostic info below. Priority email support is included with your GuardPress Pro license — typical response time is within 24 hours, and we treat active-incident lockdown recovery as highest priority.
Information to include in your email
- GuardPress version from WP Admin → Plugins (must be 1.6.13 or higher — Emergency Lockdown shipped in 1.6.13)
- WordPress version from WP Admin → Updates
- What scenario you’re in — routinely enabled lockdown, locked yourself out, suspected active attack, etc.
- Whether the bypass constant works — did you add the line to wp-config.php, did you confirm the file actually saved, did the sign-in error change after adding it
- The exact error message the login form shows you
- Most recent
emergency_lockdown_*entries from GuardPress → Audit Log (if you can access wp-admin via the bypass) - Whether you have FTP / SSH / file manager access to the WordPress root directory — if not, contact your host first since the bypass requires file edit access
If your sign-in problem isn’t Lockdown:
- Locked Out Recovery — if the lockout is from brute-force protection or IP blocking, not Emergency Lockdown
- 2FA Recovery — if 2FA is the gate that’s rejecting the sign-in
- CAPTCHA Blocks WooCommerce / MemberPress / Theme Login Forms — if users get “Please complete the security challenge” on non-wp-login surfaces
- Emergency Lockdown overview — the short feature description on the main GuardPress support page