This article assumes that the user is trying to access their WordPress site directly through site.com/wp-admin as opposed to SSO>cPanel>Installatron.
By default, all WordPress installations on Reclaim Hosting’s servers come with the WP Limit Login Attempts plugin already installed as a protective measure from Brute Force attacks. A brute force attack is essentially someone (or something) trying to access your website through the login portal by entering different username/password combinations over and over again until he/she/it is in. To avoid this, the plugin limits the user to 5 login attempts within a three minute period. Any more than that and the user’s IP address will be temporarily blocked for 30 minutes.
Aside from the obvious benefits here, it probably goes without saying that plugin can create some negative side effects as well. Most commonly: an account owner can’t remember his/her site credentials, attempts to log in one too many times, and then is blocked from their site.
So, one really easy way to avoid the “I can’t remember my password and am locked out of my site” scenario is to reset the user’s password before that happens. You can learn how to do this by reading section 1 of this article.
If, however, the user gets locked out from trying to log in too many times, you can unblock the user’s IP address in CSF, and then temporarily rename the limit logins plugin to something like limit-login-attempts_off so you can have access to the user’s dashboard. Temporarily renaming a plugin/theme is explained at the bottom of this article.