For those of you who have run into this before, you know exactly what to do, but for those of you who have never seen a Forbidden when working with your WordPress installation, it may freak you out for a short second. Here’s what’s going on when you try to log into your http://site.com/wp-admin WordPress Login and get a dreaded 403 Forbidden Error.
More than likely, your .htaccess file has changed. If you didn’t do this manually, there’s a good chance your hosting provider did this to you. They did it on purpose, but for good reason. Providers have different ways of handling this, you’ll see different scripts, but here’s my provider’s response.
NOTE: You’ll find it when you open up the .htaccess file at your root or home\username, NOT at the www\ of your site.
# The following lines have been put in place by your hosting provider as your site was under a brute force dictionary attack.
# You can provide yourself access to the wp-admin by adding an “Allow from” line with your IP address before the “Deny from all” line.
# If you need to allow multiple users in you can remove the following lines entirely if you need or you can add multiple “Allow from” lines.
# If you have any questions about this at all, do please get with your hosting provider for support.
# Uncomment the following line and change the number to your IP address. You can find your IP address at http://www.whatismyip.php/
#Allow from 123.456.789.012
Deny from all
# End of brute-force block. If you do wish to remove the block entirely do not remove beyond this line.
To fix this, you can either delete this entirely and trust that you won’t be brute forced again, or you can be smart and add your IP Adress to the allowed list.
- Find the line that says #Allow from 123.456.789, etc and remove the #
- Head to www.whatismyipaddress.com and get your local IP Address
- Add your IP Address after “Allow from…”
- Done! Refresh and blam. You’re all set.
To add multiple addresses, you can just put a space after each one on the “Allow from…” line.
Good Luck. Cheers!