Wordfence 503: How to Fix Wordfence Blocking You

You’ve been able to log in to this site just fine before, and you probably do it every day. But now, for some random reason, you’re blocked from logging in today.

You’re seeing the 503 screen so you know the culprit is Wordfence. But Wordfence is one of the best WordPress security plugins, so why is this happening?

We’ll tell you how to log back in and get on with your day as if nothing happened. We will also cover how to fix this issue, why it happened, and tips to prevent it from happening again.

TL;DR: The quickest way to unblock yourself is to deactivate the Wordfence plugin on your site. Log into cPanel or use FTP to go into the wp-content folder, and rename the plugins folder. Once you’ve gotten unblocked, consider looking for Wordfence alternatives which do not lock you out of your own site.

Wordfence has blocked your access to a site that you manage, which is definitely not good news. You’ve got important work to do and need to log in, but that the 503 error just won’t budge.

Alternatively, you could be seeing one of many messages keeping you out of your site:

In an ideal world, your site’s firewall should be smart enough to realise that you’re not launching a malicious attack and grant you access to your own site without any hassle. And even if there was an error, it should be a quick fix. Unfortunately, Wordfence fails on both these counts.

Fix 1: Follow block screen instructions

If it is a temporary block, then you can click on the link on the block page. 

Add your email address and click Send Unlock Email. This will send you an email with links, and instructions on how to get unblocked. This typically works if the reason you’ve been locked out is for too many login attempts or the wrong username. 

However this does not work all of the time, because there can be delays in receiving the email. 

Fix 2: Change your IP address

If that doesn’t work, you will have to connect to a VPN and change your IP address. You can then refresh the page and try to login again. If you don’t have access to a VPN, try this on a mobile device. But, don’t use your WiFi. 

Fix 3: Deactivate Wordfence via FTP 

If you’re unable to receive emails, are the owner or don’t have access to a VPN, you will have to deactivate Wordfence using an FTP client like Filezilla or Cyberduck using the following steps:

1. First, open Cyberduck and connect to your website’s server using your FTP credentials. These credentials will be found on your hosting site. 
2. Once you’re connected, navigate to the directory where your WordPress site is installed. This is usually in the “public_html” folder or a subdirectory of it.
3. Look for the “wp-content” folder and open it. Inside, you should see a folder named “plugins”. Double-click to open it.
4. Locate the folder named “wordfence” and right-click on it. Select “Rename” from the menu that appears.
5. Change the name of the “wordfence” folder to something like “wordfence-old” or “wordfence-disabled”. This will effectively deactivate the Wordfence plugin on your site.

If you are the admin and don’t have FTP access to your site, unfortunately, you will need to contact whoever does have access. This could be a developer or agency who built the site, or the hosting company. Expect this process to take a while to get sorted out.

Fix 4: Clear the cache 

If you’re still seeing a blocked page after deactivating Wordfence, it might be a caching issue as well. In that case, use the FTP client to deactivate your caching plugin, in the same way you did with Wordfence, and try again. 

Fix 5: Install Wordfence Assistant

The Wordfence Assistance plugin is the official tool for these scenarios, and works quite well when simpler troubleshooting fails.

First, disable Wordfence using the FTP method above.

Then, install the Wordfence Assistant plugin on your site.

The plugin will provide a few options: Disable Wordfence Firewall, Clear All Blocked Out Wordfence IPs, and Advanced Blocks. Choose whichever one gets the job done.

Then you can reactivate the Wordfence plugin the same way your deactivated it, using your FTP client. Make sure to rename the folder to wordfence once again.

Fix 6: Remove your IP from the blacklist

One of the many reasons we advise against manually blacklisting an IP is getting locked out of your own site.

IPs are dynamic in nature, and change periodically. Therefore, if you previously blocked an IP, and your system is now using that same IP, Wordfence has blocked you as per your own instructions.

As frustrating as that might be, there is a way around it. Change your IP by using a VPN or proxy to access your site, navigate to the Wordfence settings, and remove all the blacklisted IPs.

If you want to be ultra specific, you can find out your IP first using an online tool, like WhatIsMyIP, and remove only that entry from the list.

Risky option to remove your IP

1. Log into your site’s database manager, often phpMyAdmin or Adminer.
2. Locate the wp_wfblocks7 table, and edit it. Note: If the database prefix is different, you will need to replace wp in the table name to whatever the new prefix is.
3. Delete the row with your IP address from the list.

Wordfence uses this table to store the IP addresses manually blacklisted.

Fix 7: Whitelist CDN IPs

When your site is behind a CDN, Wordfence can misidentify your IP address. It sees the CDN’s server IP instead of your actual device IP. If a single malicious bot hits your site through that same CDN server, Wordfence blocks that IP, effectively locking out you and every other legitimate visitor.

1. Check your detected IP. Go to Wordfence > Tools > Diagnostics. Under the IP Detection section, look at Your IP with this setting. If it doesn’t match your actual IP (check WhatIsMyIP.com), your configuration is broken.
2. Next, navigate to All Options > General Wordfence Options.
   • For Cloudflare users: Select Use the Cloudflare ‘CF-Connecting-IP’ HTTP header. This is the most reliable way to bypass proxy interference.
   • For other CDNs: Select Use the X-Forwarded-For HTTP header.
3. If you use a custom proxy, you must add the CDN’s IP ranges into the Trusted Proxies list so Wordfence knows to trust the IP data coming from those headers.

Fix 8: Contact site owner or admin

Ask the owner or somebody else who has access to the site to unblock you from the admin panel. 

If none of the solutions above work, reach out to Wordfence support. They will provide you temporary access to lift the block, however it is better to

Prevent Wordfence from blocking your access 

Great, you’ve regained access to your site! The reason you were experiencing these hassles in the first place is that Wordfence’s firewall treated you like a threat. A good WordPress firewall can tell the difference between an attack request and a benign one, and therefore that should be your expectation of your site’s security.

Whitelist IPs

Go to Wordfence firewall settings and add your IP to the allowlist. Keep in mind that most people have dynamic IPs that change frequently, so this may not be a foolproof system.

Ensure that you have the correct IP for your device and that Wordfence is detecting IPs accurately, especially if you’re using Cloudflare’s firewall.

If you’re having issues, try changing the “How does Wordfence get IPs” setting to “Use the X-Forwarded-For-HTTP header” instead of the default option.

Test various options to see which setting works best for your site.

Note that if your IP is dynamic, an attacker’s IP is also likely to be dynamic. So, if you allowlist your IP, there’s a small chance that an attacker may be able to access your site. The probability may be low, but not zero.

Remove brute force protection

While we usually advise against this course of action due to the importance of brute force protection. If you’re experiencing repeated lockouts caused by incorrect usernames, you can temporarily disable this setting by unchecking it in your wp-admin.

🚨 Just to be clear: brute force protection is important for a site. Even if a hacker’s bot fails to gain access to your site, the repeated attempts on the login page will use a ton of site resources.

Why is Wordfence blocking me? 

Now that the stress of losing access to your site has subsided, let’s rewind the tapes and find out what happened. Why is Wordfence blocking your site in the first place?

⚠️ A security plugin that throws up false positives is not a reliable way to secure your site. Because of its hair-trigger approach to security, Wordfence may occasionally block other services such as search engine bots due to “too many requests.” You can argue that one cannot be too safe. However, false positives lead people to be less vigilant and therefore become lax when a real threat is on the horizon. It is far better to opt for a firewall that only blocks attacks and lets legitimate users in without a problem.

1. Incorrect login attempts: Wordfence blocks access if there are too many failed login attempts from a particular IP or user account to prevent brute force attacks.
2. Malicious activity: Suspicious activity such as attempts to inject malicious code or access sensitive files can trigger a block to prevent further damage.
3. Blacklisted IP address: If a user’s IP is on Wordfence’s list of suspicious or malicious IPs, they may be blocked from accessing the website.
4. Firewall rules: Wordfence’s firewall blocks known threats and suspicious requests. Users may be blocked if their request matches one of these rules.
5. Compromised passwords: If your password has been leaked or is the same as a breached password, Wordfence may lock you out.
6. False positives: Wordfence may mistakenly block a user due to a misconfiguration or mistakenly flagging their activity as suspicious.
7. CDN and proxy header mismatches: Another cause for sudden blocks is the Misconfigured Visitor IP setting. If your host recently enabled a CDN (like Cloudflare), Wordfence might see the CDN’s IP address instead of yours. If one person on that CDN is blocked, everyone behind that IP, including you, gets locked out.

Alternatives to Wordfence

Blocked admin is one of the many reasons people look for alternatives to Wordfence. While security is important for your website, Wordfence sometimes creates more problems than it solves; because it is not a set-and-forget option.

Apart from the fact that it blocks out legitimate administrators of a site, its security features have been known to cause performance issues.

💡 MalCare Security stands out as the best option for hands-free, error-free security. It is a comprehensive security plugin that includes a scanner and firewall like Wordfence, but with additional features such as automatic malware removal and a team of experts available to assist you. Not only that, but MalCare’s scanner and firewall identify and protect from threats, without burdening site resources.

More importantly, you can rest assured that MalCare will protect your site without locking you out ever. You don’t need to whitelist your IP nor will you accidentally lock yourself out with too many incorrect login attempts. These checks and balances are built into MalCare, keeping in mind that websites are run by actual people. 

Overall, switching to MalCare can offer significant benefits for your website’s security.

Final thoughts

While Wordfence provides a robust endpoint firewall, it operates by utilising your server’s CPU for every scan and firewall check, which can lead to 503 errors during high traffic. For a solution that moves this processing load away from your server, you may want to look at cloud-based alternatives. You can find a detailed, objective breakdown of how these architectures differ in our guide to Wordfence alternatives.

We all know how crucial site security is, but it shouldn’t be getting in the way of your productivity, right? 

Wordfence is a great free security plugin, but it has equally big issues. We suggest making the switch to MalCare. With MalCare’s firewall, you can put your focus on the things that really need your attention and not have to worry about any security obstacles.

FAQs