Why am I being redirected to

Being redirected to the so-called loopback address when logging in to your WordPress site can be frustrating. In this article, we outline why this might be happening and how to fix it along with an explanation of how to access your WordPress site if you are locked out (for advanced users.)


Cookie based brute force prevention is enabled

Where is the setting located?

WP Security -> Brute Force -> Cookie based brute force prevention


A ‘brute force attack’ is a type of hacking attack carried out by a bot. The bot attempts to gain access by using trial and error, entering thousands of password and login information combinations to crack your site. 

Our Brute force prevention feature is a counter to this attack. It works by only allowing access to the website if the browser being used to log in has a specific cookie saved on it. This is a way of verifying the identity of the person trying to access the site. 

For the feature to work, your site’s administrator sets up a secret URL. When you visit that URL, the cookie is automatically installed, redirecting you to the login page. 

If you are trying to access the site without first visiting the secret URL, then you will be redirected to 

Brute Force Prevention is an advanced feature that can be toggled on and off.. You or your site admin would have created the secret URL as part of the setup. The URL is shown on the WordPress dashboard after activating the feature, in the format:


For future login attempts, you will first need to navigate to the secret URL to gain access to the site. 


Country blocking is enabled for your country (AIOS Premium)

Where is the setting located?

WP Security -> Country Blocking -> Country blocking options


The country blocking feature is a security measure available with AIOS Premium that allows you to block traffic from specific countries or regions based on their IP address. This feature can be useful for preventing attacks from known malicious IP addresses or geographic regions with a higher risk of hacking attempts.

If you have inadvertently activated the country blocking feature for the country you are located in, you’ll be redirected to 


404 Lockout

Where is the setting located?

WP Security -> Firewall > 404 detection


You may be redirected to because of a 404 lockout. 

A 404 lockout could occur due to a security feature called “Smart 404 Blocking.” This feature is designed to detect and block repeated requests for non-existent pages on your website, which could indicate a potential attack or hacking attempt.

However, legitimate users (including you) can be locked out if you visit multiple 404 pages within a short space of time.

The good news is that you should be able to regain access to your WordPress site by accessing it from a different IP address and then by removing your IP address from the Blacklist Manager in the main WP Security menu. To regain access to your site, you simply need to use a different IP address to access it. The easiest way to do this is by accessing the site from a different device, such as a tablet or another computer. You can then remove the blocked IP from your blacklist, and you will be able to log in again.


Your IP is blocked

Where is the setting located?

WP Security -> User Login


If you’re redirected to 127.0.01 it could also be because of a login lockout. 

The ‘Login Lockout’ feature is a security measure that can help prevent brute-force attacks on your website’s login page. This feature works by temporarily locking out users who have made too many failed login attempts within a specified time period. If you make too many failed login attempts you can become locked out.


 What to do if I am locked out of my WordPress website (for advanced users)

If you become locked out of your WordPress website, for AIOS free version 5.1.6 or greater, edit your wp-config file and add:


Before the line

/* That's all, stop editing! Happy publishing. */

For older versions navigate to wp-content\uploads\aios\firewall-rules\settings.php in your WordPress installation and modify the following line:


Remove the digit 1 leaving empty quotes like so:


Once disabled, log back into your WordPress site and change the setting that you identified above that is causing you to be locked out.


Being redirected to a loopback address can be a jarring experience that stops you from doing the work that matters on your website. Using this guide and a WordPress security plugin like AIOS can help you to take action and resolve the issue quickly and easily.

If these fixes don’t work, then make sure to check out our WordPress forum and ask your question to our community there; this is available to all users. Further support is available for premium users via our premium support form. You should receive a reply within 24 hours, and are guaranteed an answer within 3 working days. Please note that the support desk is closed on Sundays.

Share This Post

More To Explore...


WordPress security audit checklist

Ensuring your WordPress website’s security is vital for protecting sensitive data, keeping customer trust, and safeguarding your online business. A