What did you do to block people from the login page? Something is configured to give a 403.
If you can’t set up mod_cloudflare (or a similar process) on your server, you can use Cloudflare Access to limit logins. I configured it to bypass the Access restriction for my home IP and a client IP address. And if neither of us are using our local IP address, we can get an access code through our personal email address. (note that I’m not currently using it in this case, and that’s why it says wp-login.sav instead of .php). Access free if it’s for five users (email addresses) or fewer. Restrict/Bypass by IP address is completely free.
Most likely wordfence I think. I did have it in the .htaccess to only allow my IPs but have removed that and still get the error, so most likely wordfence.