diff --git a/core/modules/block/lib/Drupal/block/BlockAccessController.php b/core/modules/block/lib/Drupal/block/BlockAccessController.php
index 9e4e472eef086decb9049598d7dda67ef9ef5a2d..3bd9fb3d4d452d14f6f08130b836315358aa32d8 100644
--- a/core/modules/block/lib/Drupal/block/BlockAccessController.php
+++ b/core/modules/block/lib/Drupal/block/BlockAccessController.php
@@ -64,13 +64,6 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
       return FALSE;
     }
 
-    // If the plugin denies access, then deny access.
-    if (!$entity->getPlugin()->access($account)) {
-      return FALSE;
-    }
-
-    // Otherwise, check for other access restrictions.
-
     // User role access handling.
     // If a block has no roles associated, it is displayed for every role.
     // For blocks with roles associated, if none of the user's roles matches
@@ -121,6 +114,14 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
         return FALSE;
       }
     }
+
+    // If the plugin denies access, then deny access. Apply plugin access checks
+    // last, because it's almost certainly cheaper to first apply Block's own
+    // visibility checks.
+    if (!$entity->getPlugin()->access($account)) {
+      return FALSE;
+    }
+
     return TRUE;
   }