The new Magic Links feature allows you to log in to your WordPress site while your username is locked out by the iThemes Security Local Brute Force Protection feature.
When your username is locked out, you can request an email with a special login link. Using the emailed link will bypass the username lockout for you while brute force attackers are still locked out.
Automatic Activation of Magic Links
Once you’ve updated to (or installed) iThemes Security Pro 4.5, Magic Links will be automatically enabled.
You’ll find the new Magic Links Pro module on the iThemes Security > Settings page in your WordPress dashboard.
Click the “Configure Settings” button. The next screen provides an explanation of the feature.
Requesting Magic Link from the WordPress Login Screen
If your username has been locked out during a brute force attack detected by iThemes Security, you’ll see this message on the WordPress login screen.
Simply click the “Send authorized login link” link to receive your Magic Links email.
From your inbox, you’ll find an email sent by iThemes Security that contains your login link.
Are Magic Links Secure?
Yes. iThemes Security delivers the Magic Link email to the email address associated with the username, so an attacker would also need access to the email account of the user. Once the Magic Link is clicked, a username and password must still be entered successfully to login to your WordPress website. Plus, if you have two-factor authentication enabled (which we highly recommend), Magic Links require this secondary code to successfully login.