Sorry, You Are Not Allowed to Access This Page: Fix the WordPress wp-admin Lockout (2026)

Key facts at a glance

WordPress admin lockout in 2026

Last updated June 30, 2026

What it actually is: A WordPress capability failure, not a server error. WordPress core shows this styled message when a permission check decides your account lacks the capability the page needs. The site is running fine, so the fix is about your role, not your server.
The most common single cause: A database table prefix mismatch. Your role is stored under a key that includes the prefix, wp_capabilities, so if the prefix in wp-config does not match the tables, WordPress cannot find your role and treats you as having none.
Tell it apart from a 403: If the page is styled like WordPress and uses this exact sentence, it is a capability problem. A bare 403 Forbidden from the server is a different issue, fixed at the .htaccess and permissions layer.
When a plugin is to blame: Security, membership, and role-editor plugins filter capabilities through hooks like user_has_cap. A bug or bad save can strip every admin at once. Deactivate by renaming the plugins folder.
How to get back in: Work from outside the dashboard, because the admin login is what is broken. Create a fresh administrator with WP-CLI wp user create, or repair your role in phpMyAdmin.
The admin role value: An administrator capabilities row stores the serialized value a:1:{s:13:"administrator";b:1;}. Restoring that for your user, under the right prefix, gives the role back.

Source: the WordPress Roles and Capabilities documentation, the wp-config.php API reference for the table prefix, the WP-CLI user commands, the user_has_cap hook reference, and our hands-on admin-lockout repairs. Get a quote in 60 seconds →

What the message really means

The first thing to understand is who is speaking. Sorry, you are not allowed to access this page is a message WordPress prints itself, in its own plain error style, when a request reaches an admin page and fails a capability check. WordPress runs a permission test for the action you are trying to take, the test returns no, and WordPress stops the request with this sentence. That tells you something useful right away. WordPress loaded. PHP ran. The database answered. The site got all the way to a working permission check before deciding you were not allowed. The platform is healthy. The thing that is wrong is the answer to one question: does this user have the capability this page requires.

In WordPress, what you can do is governed by roles and capabilities. An administrator role carries the capabilities that unlock wp-admin, and those capabilities are stored in the database against your user. When the message appears for someone who should be an administrator, it means WordPress could not confirm you hold the capability, almost always because it could not find your role where it expected it, or because something rewrote your role to remove it. That is why the fixes all circle the same few places: the stored role, the prefix WordPress uses to locate that role, and any plugin that intercepts the capability check.

Because the failure is a capability decision rather than a server refusal, you do not fix it by touching files permissions or server rules. You fix it by correcting what WordPress knows about you, and you do that from outside the dashboard, since the dashboard is exactly what is locked. The rest of this page works through the handful of reasons WordPress loses track of your role, how to tell this apart from a server 403 that uses similar words, and the concrete ways to get back in.

WordPress message vs server 403

This is the single distinction that saves you from fixing the wrong layer, and most guides skip it. Two different things can stop you from reaching wp-admin, and they look superficially similar but have nothing in common under the hood.

The WordPress capability message

The page is styled like WordPress and reads Sorry, you are not allowed to access this page. WordPress ran and a permission check failed. The cause is your role, the table prefix, or a plugin filtering capabilities. The fix is in the database and plugins, never the server.

A server 403 Forbidden

The page is a bare Forbidden error from the server or host, not WordPress styling. Apache, Nginx, or a firewall like mod_security blocked the request before WordPress ran. The cause is .htaccess rules, file permissions, or a security service. The fix is at the server layer.

If you are not sure which you have, look at the styling and the exact words. WordPress writes the full apologetic sentence in its own simple error page. A server 403 usually just says Forbidden or 403 and looks like a host error. The rest of this page is about the WordPress capability message. If yours is a server 403, the section below on restoring .htaccess and permissions is your starting point instead.

Which symptom matches yours

Find the row that matches what you see and when it started. Each one points to a specific cause and fix.

Symptom	Most likely root cause
The WordPress-styled message appears across all of wp-admin and you cannot get in	A capability failure, not a server block. Most often a table prefix mismatch or a lost administrator role. Repair the prefix or restore the role from outside the dashboard.
It started right after you changed the database table prefix	The capability meta keys still use the old prefix while wp-config now uses the new one, so WordPress cannot find your role. Make the prefix and the meta keys agree.
It started right after a plugin update or a role-editor change	A security, membership, or role-editor plugin stripped capabilities through a capability filter or a bad save. Deactivate plugins by renaming the plugins folder, then find the one responsible.
Only one admin screen shows it, the rest of wp-admin works	That screen needs a capability your role lacks, or a plugin restricts it. If your role should have it, it is a narrower version of the missing-capability problem.
It only appears when saving in the block editor, not on page load	A REST API request rejected over a stale nonce served from cache, not a role problem. This is the editor-save issue, covered on the publishing-failed page.
A bare 403 Forbidden page that is not styled like WordPress	A server-level block from .htaccess, file permissions, or mod_security, before WordPress runs. Restore .htaccess and correct permissions, a different fix path from the capability message.
It appeared after importing a database or on a fresh setup with no admin	The administrator role or your capabilities are not present in the database. Create a clean administrator with WP-CLI or phpMyAdmin to regain access.

The six root causes

Once you have confirmed it is the WordPress message and not a server 403, the lockout is almost always one of these six.

1. A database table prefix mismatch

Your role and capabilities live in the usermeta table under a key that embeds the table prefix, wp_capabilities and wp_user_level by default, and the role definitions live in the options table under wp_user_roles. If the prefix in wp-config.php does not match the real table prefix, or someone renamed the tables without renaming those keys, WordPress looks for your role under the wrong name, finds nothing, and you have no capabilities. This is the most common single cause and it is covered in detail in the next section.

2. Corrupted or missing role capabilities

Even with the right prefix, the capabilities row itself can be wrong. A role-editor plugin, a bad import, or a hand edit can leave your wp_capabilities value empty, set to a lower role, or pointing at a role that no longer exists. WordPress then reads a user with no administrator capability and shows the message. The fix is to restore the administrator role for your user, or create a fresh administrator, which writes a correct capabilities value.

3. A security, membership, or role-editor plugin

WordPress lets plugins filter capabilities at runtime through hooks such as user_has_cap and map_meta_cap. Security plugins, membership plugins, and role editors all use this legitimately, but a bug or a bad setting can answer no to a check that should be yes, and because the filter runs on every request it can lock out all administrators at once after an update. Deactivating plugins, which you can do without the dashboard by renaming the plugins folder, confirms it and points at the culprit.

4. A theme or custom code touching capabilities

Less often, code in the active theme functions.php or a custom snippet calls add_role, remove_role, or a capability filter and gets it wrong, removing capabilities for real users. Switching to a default theme by renaming the active theme folder rules this in or out. If access returns on a default theme, the lockout is in the theme code.

5. A PHP version or memory problem disrupting the check

Occasionally the message is a side effect of a deeper failure. An outdated plugin throwing errors under a newer PHP version, or a memory limit so low that a capability-related plugin half-loads, can leave the permission check in a broken state. If the lockout arrived alongside a host PHP upgrade, look first at the PHP version fix and the debug log, which name the real fault.

6. The block-editor save variant

If the message only appears when you save a post and the rest of wp-admin works, it is not your role at all. The block editor saves over the REST API, and a stale security nonce served from a cache or CDN can get the save rejected as not allowed even for a full administrator. That is the editor-save problem, covered on the publishing failed fix, not a lockout.

The table-prefix trap

This is the cause that catches the most people, often right after a security tweak, so it is worth understanding even if you never touch the database. WordPress stores your role in a clever but fragile way. In the usermeta table, your capabilities are saved under a meta key that is built from the table prefix, so on a default install the key is literally wp_capabilities, and your user level under wp_user_level. The list of roles itself lives in the options table under wp_user_roles. The prefix is baked into all three names.

Now change the prefix and the trap springs. A common piece of security advice is to change the default wp_ prefix to something custom, and several security plugins offer a one-click tool to do it. The tool renames the tables and updates $table_prefix in wp-config.php, but if it does not also rename the prefixed meta keys and the option name, WordPress now looks for newprefix_capabilities and finds only the old wp_capabilities. Your role becomes invisible, your capabilities read as none, and every administrator is locked out with this message. The same thing happens after a migration where the prefix in the config and the prefix in the data drift apart.

The rule that fixes it

Make the prefix in wp-config.php and the data agree. The simplest recovery is to set $table_prefix back to whatever the real tables actually use, which you can read straight off the table names in phpMyAdmin. If you genuinely want the new prefix, then also rename the three prefixed keys, capabilities and user_level in usermeta and user_roles in options, to the new prefix so WordPress can find your role again. The exact SQL is in the fix section.

DIY vs hand it off

A single clear cause with hosting access is a reasonable self-fix. Editing the capabilities row by hand, or several issues at once, is where handing it off saves time and risk. If the left column matches you can likely do this. If the right column matches, get help.

✓

Realistic on your own

✓You can read the real table prefix off phpMyAdmin and set it in wp-config
✓You have SSH and can run a single WP-CLI command to create an admin
✓It started right after a plugin update and disabling plugins is enough
✓You confirmed it is the WordPress message, not a server 403
✓You have a recent database backup before any changes
✓Only one clear cause from the table above

✗

Hand it off, save the time

✗Editing a serialized capabilities value by hand makes you nervous
✗A security plugin changed the prefix and you are not sure what it renamed
✗No backup and you do not want to risk a wrong SQL write
✗Several administrators are locked out and the site is a live store
✗The lockout arrived with a PHP upgrade and plugins are now fataling
✗You cannot tell whether it is the capability message or a server 403

How to diagnose it

Work in this order. The first step decides which half of the problem you have.

Confirm it is the WordPress message, not a server 403

Check the styling and wording. The full sentence Sorry, you are not allowed to access this page in WordPress styling is a capability failure. A bare 403 Forbidden from the server is a different fix path.

Note exactly when it started

A prefix change or a security-plugin tweak points at the table prefix. A plugin or theme update points at a capability filter. A database import points at a missing role. The trigger narrows the cause fast.

Deactivate all plugins without the dashboard

Rename wp-content/plugins to plugins_off over SFTP, or run wp plugin deactivate --all. If access returns, a plugin caused it, so reactivate one at a time to find which.

Switch to a default theme

If plugins were not the cause, rename the active theme folder so WordPress falls back to a default theme. If access returns, the lockout is in the theme functions.php code.

Compare the table prefix to the real tables

In phpMyAdmin, read the actual prefix off the table names, for example wp_posts or xyz_posts, and confirm $table_prefix in wp-config.php matches it exactly.

Inspect your capabilities row

In the usermeta table, find the capabilities meta key for your user and confirm it holds the administrator role. An empty value, a lower role, or the wrong prefix on the key is your cause.

How to fix it

Each branch stands alone. Pick the one your diagnosis pointed to. Back up the database before any SQL, and replace wp_ with your real table prefix in every query.

Fix a table prefix mismatch

The simplest recovery is to point wp-config.php at the prefix your tables actually use, read off the table names in phpMyAdmin.

// In wp-config.php, set this to match your real table names
$table_prefix = 'wp_'; // e.g. 'xyz_' if your tables are xyz_posts, xyz_options

If you really want to keep a new prefix, rename the three prefixed keys so WordPress can find your role under it. Run these in phpMyAdmin, using your new prefix in place of xyz_.

UPDATE xyz_usermeta SET meta_key = 'xyz_capabilities'
  WHERE meta_key = 'wp_capabilities';

UPDATE xyz_usermeta SET meta_key = 'xyz_user_level'
  WHERE meta_key = 'wp_user_level';

UPDATE xyz_options SET option_name = 'xyz_user_roles'
  WHERE option_name = 'wp_user_roles';

Restore the administrator role for your user

Find your user ID, then set the capabilities row back to the administrator role. The serialized value below is exactly what WordPress writes for an administrator.

-- Find your user ID
SELECT ID, user_login FROM wp_users;

-- Restore the administrator role (replace 1 with your ID)
UPDATE wp_usermeta
  SET meta_value = 'a:1:{s:13:"administrator";b:1;}'
  WHERE user_id = 1 AND meta_key = 'wp_capabilities';

UPDATE wp_usermeta
  SET meta_value = '10'
  WHERE user_id = 1 AND meta_key = 'wp_user_level';

Create a fresh administrator with WP-CLI

If you have SSH, this is the cleanest path. Create a new admin, or promote your existing user, without touching serialized data by hand.

# Create a brand new administrator
wp user create rescue [email protected] --role=administrator --user_pass=StrongPasswordHere

# Or promote an existing user (replace 2 with their ID or login)
wp user set-role 2 administrator

Deactivate the plugin that stripped your role

If a plugin is the cause, deactivate without the dashboard, then reactivate one at a time to find it.

# Over SFTP: rename the folder to deactivate every plugin at once
wp-content/plugins  ->  wp-content/plugins_off

# Or with WP-CLI
wp plugin deactivate --all

If it is actually a server 403

A bare Forbidden page is a server block, not a capability problem. Rename .htaccess to test it, then restore the default WordPress block and correct permissions to directories 755 and files 644.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If a firewall or mod_security rule is blocking you, ask the host to whitelist your IP or relax the rule.

Not sure which cause is yours, or nervous about editing the database by hand?

Let us get you back in within 2 hours →

A real lockout-recovery session

A composite from the admin-lockout repairs we run most weeks, with identifying details removed.

Scenario

A site owner had read that changing the default database prefix improves security and used a security plugin tool to switch from wp_ to a custom prefix. The next time anyone tried to open wp-admin, every administrator got Sorry, you are not allowed to access this page. The front of the site was completely fine. Nobody could reach the dashboard to undo the change.

Diagnosis

A capability failure, not a server block, because the page was WordPress-styled and the site was otherwise healthy. In phpMyAdmin the tables had been renamed to the new prefix and wp-config.php matched, but the usermeta still held wp_capabilities and wp_user_level, and the options table still held wp_user_roles. WordPress was looking for the role under the new prefix and finding nothing, so every admin had no capabilities.

Resolution

We backed up the database, then renamed the three prefixed keys to the new prefix so the data matched the config, the two usermeta keys and the one options name. Admin access returned immediately for every administrator. We confirmed the roles were intact, removed a leftover duplicate option, and documented the keys the plugin had missed so a future prefix change would not repeat it.

⏱

Total elapsed

Back into wp-admin well inside the 2-hour window, once the prefixed keys were aligned with the config.

When to stop and hand it off

Four situations where DIY costs more than help. First, editing a serialized capabilities value or running prefix-rename SQL makes you nervous and there is no backup to fall back on. Second, a security plugin changed the prefix and you cannot tell what it did and did not rename. Third, the lockout hit several administrators on a live store and every minute is lost orders. Fourth, you cannot tell whether you have the WordPress capability message or a server 403, so you do not know which layer to fix. We confirm which it is, repair the prefix or the role from outside the dashboard, create a clean rescue administrator if needed, find any plugin stripping capabilities, and leave your accounts correct. Flat $49 to $149, done in two hours when scope fits, money back if we cannot.

Get a quote in 60 seconds

WordPress admin lockout FAQ

What does "Sorry, you are not allowed to access this page" actually mean in WordPress?

It means WordPress itself decided the logged-in user does not have the capability the page requires, so WordPress core stopped the request with its own styled message. This is the important part: WordPress and PHP are running fine. The site is not down, the database is connected, and the page loaded far enough to run a permission check and fail it. That is very different from a server-level 403 Forbidden, which is the web server refusing the request before WordPress ever runs. Because it is a capability failure, the fix is almost never on the server. It is in who WordPress thinks you are: your stored role, the table prefix it uses to find that role, or a plugin that stripped your capabilities. Knowing it is a WordPress message and not a server block is what points you at the right half of the problem.

It happened right after I changed my database table prefix. Why did that lock me out?

Because your administrator role is stored in the database under a key that includes the table prefix, and the prefix change left the two out of step. WordPress keeps your capabilities in the usermeta table under a meta key named with the prefix, wp_capabilities by default, alongside wp_user_level, and the list of roles lives in the options table under wp_user_roles. If you, or a security plugin, renamed the tables to a new prefix but did not also rename those keys, or changed the prefix in wp-config.php without updating the data, WordPress looks for your role under the new prefix, finds nothing, and treats you as a user with no capabilities at all. The fix is to make the two agree: either point the wp-config prefix back at the real table prefix, or update the meta keys and the option name to the new prefix so WordPress can find your role again.

How do I get back into wp-admin when I cannot even log in to fix it?

You fix it from outside the dashboard, through your hosting tools. The two reliable paths are phpMyAdmin and WP-CLI, both of which most hosts provide. With WP-CLI over SSH you can create a brand new administrator in one command, wp user create, or promote your existing user with wp user set-role, which writes the correct capabilities for you. With phpMyAdmin you can inspect and repair the capabilities row directly in the usermeta table, or create a new admin user. If you suspect a plugin caused it, you can deactivate every plugin without the dashboard by renaming the wp-content/plugins folder over SFTP, which forces WordPress to load with no plugins active. None of these need a working admin login, which is the whole point, because the error means the admin login is exactly what is failing.

Is this the same as a 403 Forbidden error?

No, and telling them apart saves you from fixing the wrong thing. "Sorry, you are not allowed to access this page" is a WordPress message, rendered in the plain WordPress error style, produced when a capability check inside WordPress fails. A 403 Forbidden is a server message, produced by Apache, Nginx, or a firewall like mod_security before WordPress runs, and it looks like a server or host error page, not a WordPress one. The WordPress message points you at roles, capabilities, the table prefix, and plugins. The server 403 points you at .htaccess rules, file permissions, mod_security, or a security service blocking the request. If the page is styled like WordPress and uses that exact sentence, treat it as a capability problem. If it is a bare Forbidden page from the server, treat it as a server-access problem.

A plugin update caused it. How can a plugin take away my admin rights?

WordPress lets plugins filter capabilities on the fly through hooks like user_has_cap and map_meta_cap, which is how membership plugins, role editors, and security plugins do their job. A bug or a bad setting in one of those plugins can answer no to a capability check that should be yes, and because the filter runs for every request, it can lock out every administrator at once the moment the plugin updates or its configuration changes. Role-editor plugins are a common culprit because they can rewrite the stored capabilities directly, and a botched save can remove the administrator capabilities entirely. The fastest way to confirm it is to deactivate plugins, which you can do without the dashboard by renaming the wp-content/plugins folder. If access returns with plugins off, reactivate them one at a time to find the one responsible, then fix its settings or replace it.

I see the message on only one admin screen, but the rest of wp-admin works. Is that the same problem?

That is a milder version of the same capability logic, and usually it is correct behavior rather than a fault. Each admin screen requires a specific capability, and some screens are intentionally limited to administrators or to specific roles. If you are an editor or a shop manager, you will legitimately see the message on screens that need a capability your role does not have, such as managing plugins or other users. It can also be caused by a plugin that restricts a screen to certain users. If you should have access to that screen and do not, the cause is the same family as a full lockout, a missing capability on your role, just narrower in scope. If you are not supposed to have access, the message is WordPress working as designed.

It only appears when I try to save a post in the block editor, not when I load a page. Why?

That is a different mechanism that happens to share the wording, and it is usually about an expired security token rather than your role. The block editor saves through the WordPress REST API, and the request carries a nonce, a one-time security token that is valid for a limited window. If a caching layer, a CDN like Cloudflare, or a page-cache plugin serves a stale page with an old nonce, the REST request can be rejected as not allowed even though your account is a full administrator. The tell is that everything else in wp-admin works and only saving fails. The fix lives with the editor-save problem, not the lockout one, so if this is your symptom, the publishing-failed diagnostic is the right page. We cover it in detail there rather than repeating it here.

Can you fix this if I give you my hosting login but not a WordPress admin login?

Yes, and that is usually exactly the situation. The error means your WordPress admin login is the thing that is broken, so we work through the hosting layer instead, the control panel, SFTP, SSH, phpMyAdmin, or WP-CLI. From there we confirm whether it is a table prefix mismatch, a corrupted or missing administrator role, or a plugin stripping capabilities, and we repair the right one. We can create a clean rescue administrator, restore your real account capabilities, fix the prefix so WordPress finds your role again, and identify the plugin or setting that caused it so it does not recur. Hosting credentials are all we need to start, which is why having them ready makes this a fast fix.

Sources and further reading

Every technical claim on this page traces back to the WordPress documentation, the WordPress developer reference, the WP-CLI documentation, or the named host reference.