You’ve been able to log in to this site just fine before, and you probably do it every day. But now, for some random reason, you’re blocked from logging in today.
You’re seeing the 503 screen so you know the culprit is Wordfence. But Wordfence is one of the best WordPress security plugins, so why is this happening?
We’ll tell you how to log back in and get on with your day as if nothing happened. Trust us, we’ve got your back and we promise it’s going to be fine.
In this article, we’re going to cover everything you need to know to fix this issue, including why it happened in the first place and some tips to prevent it from happening again.
The quickest way to unblock yourself is to deactivate the Wordfence plugin on your site. Log into cPanel or use FTP to go into the wp-content folder, and rename the plugins folder. Once you’ve gotten unblocked, log into wp-admin and install MalCare to protect your site. You’ll never have to read this article again.
Wordfence has blocked your access to a site that you manage, which is definitely not good news. You’ve got important work to do and need to log in, but that annoying 503 error just won’t budge.
In an ideal world, your security plugin should be smart enough to realize that you’re not launching a malicious attack and grant you access to your own site without any hassle. And even if there was an error, it should be a quick fix. Unfortunately, Wordfence fails on both these counts.
We, of all people, get that security is crucial, but it shouldn’t be such a headache. For top-notch security that won’t leave you scouring for solutions like this, we highly recommend a security plugin like MalCare. We’ll talk about why this is a good solution later. But, for now, let’s talk about how to fix it.
How to unblock yourself?
There are a few reasons why Wordfence may have blocked you, some solutions may work for you but not others. In this section, we’ve broken down the different scenarios and provided solutions for each.
Option 1: Follow block screen instructions
If it is a temporary block, then you can click on the link on the block page.
Add your email address and click Send Unblock Email. This will send you an email with links, and instructions on how to get unblocked. This typically works if the reason you’ve been locked out is for too many login attempts or the wrong username.
However this does not work all of the time, because there can be delays in receiving the email.
Option 2: Contact site owner or admin
Ask the owner or somebody else who has access to the site to unblock you from the admin panel.
Option 3: Change your IP address
If that doesn’t work, you will have to connect to a VPN and change your IP address. You can then refresh the page and try to login again. If you don’t have access to a VPN, try this on a mobile device. But, don’t use your WiFi.
Option 4: Deactivate Wordfence via FTP
If you’re unable to receive emails, are the owner or don’t have access to a VPN, you will have to deactivate Wordfence using an FTP client like Filezilla or Cyberduck using the following steps:
- First, open Cyberduck and connect to your website’s server using your FTP credentials. These credentials will be found on your hosting site.
- Once you’re connected, navigate to the directory where your WordPress site is installed. This is usually in the “public_html” folder or a subdirectory of it.
- Look for the “wp-content” folder and open it. Inside, you should see a folder named “plugins”. Double-click to open it.
- Locate the folder named “wordfence” and right-click on it. Select “Rename” from the menu that appears.
- Change the name of the “wordfence” folder to something like “wordfence-old” or “wordfence-disabled”. This will effectively deactivate the Wordfence plugin on your site.
If you are the admin and don’t have FTP access to your site, unfortunately, you will need to contact whoever does have access. This could be a developer or agency who built the site, or the hosting company. Expect this process to take a while to get sorted out.
Option 5: Clear the cache
If you’re still seeing a blocked page after deactivating Wordfence, it might be a caching issue as well. In that case, use the FTP client to deactivate your caching plugin, in the same way you did with Wordfence, and try again.
If none of the solutions above work, reach out to Wordfence support.
How to prevent Wordfence from blocking your access to the site?
Great, you’ve regained access to your site! We would recommend you skip the hassle of this section and just install MalCare instead. But, if you would still like to use Wordfence, here are the ways to stay unblocked.
Go to Wordfence firewall settings and add your IP to the allowlist. Keep in mind that most people have dynamic IPs that change frequently, so this may not be a foolproof system.
Ensure that you have the correct IP for your device and that Wordfence is detecting IPs accurately, especially if you’re using Cloudflare’s firewall (Read: Sucuri vs Cloudflare).
If you’re having issues, try changing the “How does Wordfence get IPs” setting to “Use the X-Forwarded-For-HTTP header” instead of the default option.
Test various options to see which setting works best for your site.
Note that if your IP is dynamic, an attacker’s IP is also likely to be dynamic. So, if you allowlist your IP, there’s a small chance that an attacker may be able to access your site. The probability may be low, but not zero.
Remove brute force protection
While we strongly advise against this course of action due to the importance of brute force protection. If you’re experiencing repeated lockouts caused by incorrect usernames, you can temporarily disable this setting by unchecking it in your wp-admin.
Install Wordfence Assistant
Install the Wordfence Assistant plugin and then Disable Wordfence Firewall, Clear All Blocked Out Wordfence IPs, and Advanced Blocks. Then you can reactivate the Wordfence plugin using your FTP client. You need to rename the folder to wordfence once again.
Why is Wordfence blocking me?
Now that the stress of losing access to your site has subsided, let’s rewind the tapes and find out what happened. Why is Wordfence blocking your site in the first place?
- Incorrect login attempts: Wordfence blocks access if there are too many failed login attempts from a particular IP or user account to prevent brute force attacks.
- Malicious activity: Suspicious activity such as attempts to inject malicious code or access sensitive files can trigger a block to prevent further damage.
- Blacklisted IP address: If a user’s IP is on Wordfence’s list of suspicious or malicious IPs, they may be blocked from accessing the website.
- Firewall rules: Wordfence’s firewall blocks known threats and suspicious requests. Users may be blocked if their request matches one of these rules.
- Compromised passwords: If your password has been leaked or is the same as a breached password, Wordfence may lock you out.
- False positives: Wordfence may mistakenly block a user due to a misconfiguration or mistakenly flagging their activity as suspicious.
A security plugin that throws up false positives is not a reliable way to secure your site. It is very difficult to distinguish false positives from real threats, even for WordPress experts.
Because of its trigger-happy approach to security, Wordfence may occasionally block other services such as search engine bots due to “too many requests.”
You can argue that one cannot be too safe. However, false positives lead people to be less vigilant and therefore become lax when a real threat is on the horizon.
Alternatives to Wordfence
While security is important for your website, Wordfence sometimes creates more problems than it solves. Apart from the fact that it blocks out legitimate administrators of a site, its security features have been known to cause performance issues. All in all, we recommend you ditch Wordfence and find an alternative that works far better.
MalCare is the best alternative to Wordfence. It is a comprehensive security plugin that includes a scanner and firewall like Wordfence, but with additional features such as automatic malware removal and a team of experts available to assist you. Not only that, but MalCare’s scanner and firewall are superior to those offered by Wordfence, providing better protection for your website.
More importantly, you can rest assured that MalCare will protect your site without locking you out ever. You don’t need to whitelist your IP nor will you accidentally lock yourself out with too many incorrect login attempts. These checks and balances are built into MalCare, keeping in mind that websites are run by actual people.
Overall, switching to MalCare can offer significant benefits for your website’s security.
We all know how crucial site security is, but it shouldn’t be getting in the way of your productivity, right?
Wordfence is a great free security plugin, but it has equally big issues.
That’s why we suggest making the switch to MalCare. With MalCare, you can put your focus on the things that really need your attention and not have to worry about any security obstacles.
How long does Wordfence lock you out?
The duration of the lockout period by Wordfence can vary and depends on the specific settings configured by the site owner or administrator. It could be a few minutes, several hours, or even longer in some cases.
How do I fix Wordfence?
There are several steps you can take to fix Wordfence if it has caused issues with your site. Here are a few suggestions:
- Clear your browser’s cache and cookies and try logging in again.
- Disable Wordfence temporarily to see if it is the root cause of the issue. If it is, try adjusting the plugin’s settings to resolve the issue.
- Check your Wordfence settings to ensure that they are not overly restrictive or causing any conflicts with other plugins or themes on your site.
- If you are still experiencing issues, reach out to the Wordfence support team for assistance.
- Deactivate Wordfence and install a better security plugin like MalCare.
How do I disable the Wordfence firewall?
To disable the Wordfence firewall, you can follow these steps:
- Log in to your WordPress dashboard.
- Navigate to the “Wordfence” menu and select “Firewall”.
- In the “Firewall Status” section, click on the “Turn Off” button.
- Wordfence will prompt you to confirm that you want to turn off the firewall. Click on “Yes” to proceed.
- The Wordfence firewall is now disabled.
Keep in mind that disabling the firewall may leave your site vulnerable to attacks, so be sure to re-enable it as soon as possible or consider other security measures to protect your site.
Does Wordfence slow down your site?
Yes. Wordfence does slow down your site. The scanner takes up far too much server resources and the firewall doesn’t stop all the bots and malware that affect your site speed. We recommend installing a different security plugin like MalCare.
Why am I being blocked by Wordfence?
There could be several reasons why Wordfence is blocking your access to a site. Here are some common causes:
- Suspicious activity: Wordfence may block your access if it detects suspicious activity on your site, such as multiple failed login attempts, a high volume of requests from a single IP address, or an attempt to exploit a known vulnerability.
- Blacklisted IP address: If your IP address is blacklisted by Wordfence, you may be blocked from accessing the site. This could happen if your IP address has been associated with spamming, hacking, or other malicious activities in the past.
- Firewall settings: If Wordfence’s firewall settings are configured to be overly restrictive, you may be blocked from accessing the site. This could happen if the plugin is set to block access to certain countries or IP addresses.
What is error 503 in Wordfence?
Error 503 is a temporary server unavailability status code in HTTP. Wordfence may trigger this error due to suspicious activity or security concerns, blocking user access to a site. The plugin may detect high traffic, failed login attempts, or other malicious activity, or may be set to block access to certain countries or IPs. To fix it, check Wordfence’s logs and settings to identify the cause and adjust the plugin’s settings, or contact Wordfence’s support team for assistance.
What is the 503 response in Wordfence?
HTTP status code 503 indicates temporary server unavailability. Wordfence may trigger this error due to security concerns and suspicious activity, resulting in user access blockage.
Suspicious activity includes high traffic, failed login attempts, and malicious activity. Additionally, the plugin may block access to certain countries or IPs. Troubleshoot the issue by examining Wordfence’s logs and settings, adjusting the plugin’s configuration, or contacting Wordfence’s support team for assistance.
Can I disable Wordfence?
Yes. You can disable Wordfence easily. To deactivate the plugin, go to the “Plugins” section, locate Wordfence, and click on the “Deactivate” option. This will turn off the plugin’s functionality, including its firewall, malware scanner, and other security features.
Alternatively, you can manually remove the Wordfence files by connecting to your website’s server using an FTP client. Navigate to the “wp-content/plugins” directory and locate the Wordfence folder. Right-click on the folder and select “Delete” to remove it from your site.