Blocking Troubleshooting

What to do if you locked yourself out or are experiencing unwanted blocks.

What is Wordfence?

Wordfence is a security plugin for sites that use WordPress. It provides various features and configuration options for site owners to protect their sites from intrusion.

If you have been blocked or locked out from a site that is not your own

Please contact the site owner to regain access. If you believe you should not have been blocked, it is possible that the owner has chosen settings that are too strict, or they may have a server configuration issue that causes unintended blocking. See the “Block Reasons” section below to be able to provide the site owner with the information that they will need to be able to help you gain access.

Note that some site owners choose to block countries where they do not conduct business or VPN services where different visitors appear to visit from the same IP address.

If the site owner has not provided instructions on the block page with details on how to contact them, then here are some tips below to try to contact the site owner.

They may have accounts with Facebook, Twitter, or LinkedIn, for example, that you can search for.

Using the site below, you can do a WHOIS search of the domain name, which may list the site owner’s email address in the domain name registrant information:

http://whois.domaintools.com

If the site has a contact page then Google may have a cached copy of their contact page which you can view. This may list an email address or phone number. Note that a contact submission form will not work on a cached copy of a contact page. You can do a Google search to see if they have a contact page by running one or both of these advanced Google search operators:

site:example.com intitle:contact
site:example.com inurl:contact

If they do have a contact page listed in a Google search that is cached, then you can use the “down arrow” icon and click on the “Cached” button to view that page.

If you locked yourself out

The following instructions are for site owners. If you are trying to regain access to a site that you do not own or manage, please contact the site owner for access. See the section above for tips on how to contact the site owner.

First, make sure that it is actually Wordfence that is locking you out of your site. There are many plugins that offer blocking features. See the “Block Reasons” section below to determine if you were blocked by Wordfence. If you post on our WordPress.org support forum for assistance, make sure you include the “Reason: [explanation]” text or a screenshot of the block page so that we can tell you what to change to prevent getting blocked in the future.

If you are an administrator on the site, the blocking page offers to send you an email to unlock your own access. On most modern hosts, these emails should arrive within seconds or minutes. If your site is unable to send emails, or if it takes so long to arrive that the recovery link in the email has already expired when you receive it, then see the end of this article for another option.

Note that Wordfence block pages include a “Generated by Wordfence” timestamp message at the bottom of the block page, which shows the date/time that the message was generated and the date/time from your browser. If these times are not close together, it is very likely that the page has been cached incorrectly, despite the use of headers that should prevent caching. If your host uses a cache such as Varnish, it can sometimes be the cause, and you may need their help to prevent caching pages that should not be cached.

Block Reasons

You are temporarily locked out

If you see this message, it means that your IP address has been blocked because the login attempt violated a brute force login attack rule in Wordfence. You may have attempted to log in with an invalid username or you may have made more attempts to log in than are allowed. You will be locked out for the time period the site owner has specified in Wordfence’s “Brute Force Protection” options. If you are an administrator on the site, use the unlock email function provided on the “You are temporarily locked out” page to regain access to your site. If you are not an administrator on the site, contact the site owner for assistance.

Your login attempt has been blocked because the password you are using exists on lists of passwords leaked in data breaches.

If you see this message when trying to log in to your site, it is because we have found that your password is on a list of breached credentials. When large websites are breached, user data is sometimes leaked, including passwords. These leaks are used to compile lists of passwords. Malicious actors run bots that make large amounts of login attempts on WordPress sites using those passwords. There are several scenarios in which you are at risk:

1. Your password may by pure coincidence be the same as one on such a list. Bots will try these passwords on a variety of sites and may eventually find a match on your site.
2. If you are using the same email or username/password combination on your WordPress site as you have used on other sites in the past and those credentials were at some point leaked. Only one attempt may possibly be needed to breach your site.

If you are an administrator using a leaked password you may see a notice in WordPress on all admin pages prompting you to change your password. Please change your password to a safe, strong password immediately. As soon as your IP address changes (which can happen under many different circumstances) then you will be locked out of your site as described above.

You can enter your email address here to see if it has appeared in data breach leaks:

https://haveibeenpwned.com/

For your security, we will block any attempts to log in with passwords that exist on breached password lists. You can regain access to your site by resetting your password and choosing a new, strong password. If another plugin or your theme prevents password resets on your site, you can also temporarily disable Wordfence, login, and then change your password. See the section “Forcefully regain access to your site” below.

It is possible to disable this feature in Wordfence. Read more about the option here.

You can also read more about why we implemented this feature on our blog.

Your access to this site has been limited

If you see this message it means that your IP address has been blocked by the Wordfence firewall via an option configured by the site owner. On the block page, you will see a “Reason” describing why you were blocked. If you are an administrator on the site you can use this reason to adjust your Wordfence settings. This may be due to the country blocking or rate limiting features. If you are not an administrator on the site then contact the site owner for assistance.

403 Forbidden. A potentially unsafe operation has been detected in your request to this site.

If you see this message it means Wordfence has blocked you for violating a firewall rule. If you are an administrator on the site, check the “Tools” > “Live Traffic” page feed and locate the request that was blocked. If you are sure that the request is safe and should not be blocked, you can add the blocked request to the allowlist. If you are not an administrator on the site then contact the site owner for assistance.

403 Forbidden. WHAT? Why am I seeing this?

If you see this message it means that your IP address is on the Wordfence “Real-Time IP Blocklist”. This blocklist contains the top number of IP addresses that are currently engaged in attacks on WordPress sites. The page provides you with a form you can use to make a report if you think you should not have been blocked. Even if you are not doing anything bad, other people using the same IP address may be. In the vast majority of cases, we will therefore not remove your IP address from the blocklist. We recommend that you reach out to your Internet Service Provider or VPN provider so that they can track down the source of the malicious traffic coming from the IP address that you are using.

Forcefully regain access to your site

If you have lost access to your site and can not use any of the fixes above, you can deactivate Wordfence via the file system. You can do that as follows:

  • Connect to your server using the method you normally use to upload files. Most people either use FTPS or SFTP to do this.
  • Use your hosting control panel file manager to rename the Wordfence folder located in “wp-content/plugins/wordfence”.

The above procedure will immediately deactivate Wordfence, so if Wordfence is the blocking agent, you should now be unblocked. If you are still seeing a message from Wordfence that you are locked out, make sure you disable any caching plugins like W3 Total Cache, or clear their cache. If you cannot access the site to disable the caching plugin, you may have to temporarily rename the caching plugin directory to disable it. You may also have to clear any caches on a front-end caching proxy if you have an advanced configuration.

In the highly unusual case that you do not have access to your own files on your server, you will need to log a support call with your web hosting company or whoever manages your server and ask them to rename the “wp-content/plugins/wordfence” directory.

How to reactivate Wordfence once you have regained access:

Once you have disabled Wordfence by renaming the Wordfence plugin directory, if you rename the directory back to the original name, you may be locked out again. Here is how you avoid this from happening:

  • Don’t rename the Wordfence directory back to the original name yet.
  • Install the “Wordfence Assistant” plugin. You can find it by going to “Plugins” > “Add New”. Then do a search for “wordfence assistant” without quotes. You can also obtain it from the official WordPress plugin repository.
  • Activate the plugin.
  • Go to the “WF Assistant” menu.
  • Click the button to disable the Wordfence firewall.

Now you can rename the Wordfence directory back to the original name and you will not be locked out. Once Wordfence has been reactivated, disable or adjust the feature in Wordfence that locked you out.

Then reactivate the Wordfence firewall by going to the Wordfence “Firewall” > “Firewall Options” page. Change the “Web Application Firewall Status” to “Enabled and Protecting”. Turn on “Enable Rate Limiting and Advanced Blocking” in the “Rate Limiting” section, and then hit the “Save Changes” button.

Next, on the “Firewall Options” page, click on the “Optimize the Wordfence Firewall” button and follow the steps provided.

You can then optionally uninstall the Wordfence Assistant plugin.