What is Wordfence?
Wordfence is a security plugin for WordPress. It provides various features and configuration options for site owners to protect their sites from intrusion.
If you locked yourself out
The following instructions are for site owners. If you are trying to regain access to a site that you do not manage, please contact the site owner for access.
First, please make sure that it’s actually Wordfence that is locking you out of your site. There are many plugins that offer a “lock out” feature. See the “Block Reasons” section below to determine if you were blocked by Wordfence. If you post on the forums for assistance, make sure you include the “Reason: [explanation]” text or a screenshot of the locked-out page so that we can tell you what to change to prevent getting locked out in future.
You are temporarily locked out
If you see this message it means your IP address has been been blocked because the login attempt violated a Brute Force rule in Wordfence. You may have attempted a login with an invalid username or you may have made more attempts to log in than are allowed. You will be locked out for the time period the site owner has specified in Wordfences “Brute Force Protection” options. If you are an admin on the site use the function provided on the “You are temporarily locked out” page to regain access to your site. If you are not an admin on the site, contact the site owner for assistance.
Your login attempt has been blocked because the password you are using exists on lists of passwords leaked in data breaches.
If you see this message when trying to log in to your site, it’s because we’ve found your password on a list of breached credentials. When big websites are breached, user data is sometimes leaked, including passwords. These leaks are used to compile lists of passwords. Malicious actors run bots that make large amounts of login attempts on WordPress websites using those passwords. There are several scenarios in which you are at risk:
1. Your password may by pure coincidence be the same as one on such a list. Bots will try these passwords on a variety of sites and may eventually find a match on your site.
2. If you are using the same email or username-password combination on your WordPress website as you have used on other sites in the past and those credentials were at some point leaked, only one attempt may be needed to breach your site.
If you are an admin using a leaked password you may see a notice in WordPress on all admin pages prompting you to change your password. Please change your password to a safe password immediately. As soon as your IP changes (which can happen under many different circumstances) you will otherwise be locked out of your site as described above.
You can enter your email address here to see if it has appeared in leaks: https://haveibeenpwned.com/
For your security, we will block any attempts to log in with passwords that exist breached password lists. You can regain access to your site by resetting your password, and choosing a new, strong password. If another plugin or your theme prevents password resets on your site, you can also temporarily disable Wordfence, log in, and then change your password. (See “Forcefully regain access to your site” below.)
It’s possible to disable this feature in Wordfence. Read more about the option here.
You can also read more about why we implemented this feature on our blog.
Your access to this site has been limited
If you see this message it means your IP address has been blocked by the Wordfence Firewall by an option configured by the site owner. On the page you will see a “Reason” describing why you were blocked. If you are an admin on the site you can use this reason to adjust your Wordfence settings. This may be Country Blocking or Rate Limiting. If you are not an admin on the site, contact the site owner for assistance.
403 Forbidden. A potentially unsafe operation has been detected in your request to this site.
If you see this message it means Wordfence has blocked you for violating a Firewall rule. If you are an admin on the site check “Live Traffic” and locate the request that was blocked. If you are sure that the request is safe and should not be blocked, you can whitelist the action from there. If you are not an admin on the site, contact the site owner for assistance.
403 Forbidden. WHAT? Why am I seeing this?
If you see this message it means your IP address is on the Wordfence IP Blacklist. This blacklist contains the top number of IP addresses that are currently engaged in attacks on WordPress websites. The page provides you with a form you can use to make a report if you think you should not have been blocked. Even if you are not doing anything bad other people using the same IP address may be. In the vast majority of cases we will therefore not remove your IP from the blacklist. We recommend that you reach out to your Internet Service Provider so that they can track down the source of the malicious traffic coming from your IP address.
Forcefully regain access to your site
If you have lost access to your site and can not use any of the fixes above, you can deactivate Wordfence via the file system. You can do that as follows:
- Connect to your server using the method your normally use to upload files. Most people either use FTP or SFTP to do this.
- Rename the Wordfence folder located in wp-content/plugins/wordfence/.
The above procedure will immediately deactivate Wordfence, so if Wordfence is the blocking agent, you should now be unblocked. If you are still seeing a message from Wordfence that you’re locked out, make sure you disable any caching plugins like W3 Total Cache, or clear their cache. If you can’t access the site to disable the caching plugin, you may have to temporarily rename the caching plugin directory to disable it. You may also have to clear any caches on a front-end caching proxy if you have an advanced configuration.
In the highly unusual case that you don’t have access to your own files on your server, you will need to log a support call with your web hosting company or whoever manages your server and ask them to rename the wp-content/plugins/wordfence folder.
How to reactivate Wordfence once you’re regained access:
Once you have disabled Wordfence by renaming the folder, if you rename the folder back to the original name, you may be locked out again. Here is how you avoid this from happening:
- Don’t rename the Wordfence folder back to the original name yet.
- Install the Wordfence Assistant plugin. You can find it by going to Plugins and Add New. Then do a search for “wordfence assistant” without quotes. You can also find it on this page in the official Wordfence plugin repository.
- Activate the plugin.
- Go to the “WF Assistant” menu.
- Click the button to disable the Wordfence firewall.
Now you can rename the Wordfence folder back to the original name and you won’t be locked out. Once Wordfence has been reactivated, disable or adjust the feature of Wordfence that locked you out. Then reactivate the Wordfence firewall by going to the Wordfence options page and checking the box to activate the firewall and hit Save. You can then optionally uninstall the Wordfence Assistant plugin.