sfw/fix
Access to this site has been limited medium

Wordfence "Your access to this site has been limited" (403)

Wordfence blocked your IP after a rule trigger, failed logins, or rate limiting, returning a 403 lockout page instead of the site.

What you see

Your access to this site has been limited by the site owner
Your access to this service has been limited. (HTTP response code 403)
If you think you have been blocked in error, contact the owner of this site for assistance.

What’s actually happening

You — or a real visitor — get a 403 page from Wordfence instead of the site or the login screen. It usually hits after repeated failed logins, tripping a firewall rule, or simply browsing too fast and crossing a rate limit. The page often shows a reason and sometimes a Wordfence block ID. The nasty version is locking yourself out of wp-admin, so you cannot reach the plugin to undo it.

Common causes

  • Too many failed login attempts, which Wordfence's brute-force protection locks out by IP
  • A firewall rule match — a request that looked like SQLi/XSS/a malicious scan, sometimes a false positive on a legitimate request
  • Rate limiting: crawling or hitting pages faster than the configured threshold (also catches aggressive bots and some legit crawlers)
  • "Immediately block fake Google crawlers" or a country/IP-range block catching a real user (or you, on a dynamic IP)
  • A stale browser session or changed IP after Wordfence already flagged the previous one

How to fix it

  1. If you can still reach wp-admin, unblock from the dashboardGo to Wordfence -> Blocking (and Tools -> Live Traffic) to see who is blocked and why. Remove the block on the affected IP, or add it to the allowlist under Wordfence -> All Options -> Allowlisted URLs / Allowlisted IP addresses so it does not get re-blocked. Note the rule that fired so you can tune it.
  2. If you are locked out, disable Wordfence over SFTPConnect by SFTP/SSH or the host file manager and rename /wp-content/plugins/wordfence to wordfence_off. That deactivates the plugin immediately and clears the lockout so you can log in. Rename it back once you are in and have fixed the setting — WordPress will reactivate it.
  3. Confirm your own IP and reset itCheck your current public IP (whatismyipaddress.com). If you are on a dynamic/residential IP, your address may have changed; allowlist the range or your office static IP. For a hard lockout you can also truncate the Wordfence block tables (wfBlocks7 / wfLiveTrafficHuman) in the database via phpMyAdmin, but the folder-rename method is safer.
  4. Tune the rules that caused itLoosen overly aggressive settings: raise rate-limit thresholds, turn off "block fake Google crawlers" if it is catching real traffic, and set login-security lockout counts to something sane. For a known integration (a page builder, a payment callback) allowlist its URL or use Learning Mode before re-enabling the firewall.

Stop it recurring

Allowlist your own admin IP, keep rate limits realistic for your real traffic, and use Learning Mode after install so the firewall does not block legitimate requests.

Related errors

There Has Been a Critical Error on This Website

high

WordPress's fatal-error protection caught an uncaught PHP error from a plugin, theme, or PHP incompatibility and replaced the page.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.

Microsoft Defender SmartScreen "This site has been reported as unsafe"

high

Your URL matched Microsoft's reported-sites list, so Edge blocks the page with a SmartScreen interstitial before it loads.