What is a 403 error and how to fix it?

It’s a problem we’ve all had when visiting a website (whether or not it’s powered by WordPress)… a 403 error message that says that you are not allowed to view the content. This is pretty frustrating as a visitor, but, if you’re the website owner/developer it can be seriously stressful as you might struggle to resolve the issue, especially if you’re relatively new to building and maintaining websites.

In this article, we’ll take a look at exactly what this error message means and what you can do to solve the problem. Let’s get started!

What is a 403 error?

The 403 error is an HTTP response status code that is shown when something prevents access to a certain page (or pages)+ of the website. In such cases, the server understands the request but refuses to execute it.

In other words, the server understands what the client wants to do but does not allow it because of the missing permissions.

How does a 403 error appear?

Let’s look at this in more detail.

403 error message variations

You might see a variety of 403 error messages such as the following:

• 403 – Forbidden: Access is denied
• Error 403 – Forbidden
• 403 – Forbidden Error – You are not allowed to access this address
• 403 Forbidden – Access to this resource on the server is denied
• You are not authorized to view this page
• It appears you don’t have permission to access this page.

The screenshot below shows how the error would appear on an Apache server:

And this is how it shows on Nginx:

The reasons the permissions are not correct may vary. Some of them are WordPress-related, and some apply to all websites.

What causes a 403 error and how to fix it?

There are a number of potential reasons why you could be getting a 403 error. Let’s look at the main ones.

File/folder permissions

A common reason the 403 error is triggered is client-side access misconfiguration. I.e. how the file or folder permissions are set. Fortunately, this is an issue you can resolve most of the time by yourself.

These permissions are typically represented by a three-digit number.

You can read, write, or execute a file or folder depending on the access configuration. Each digit represents the level of permission for each of these interaction levels.

On a WordPress website, for example, directories and folders should be set to 755, and most file permissions need to be set to 644.

Sometimes you are not allowed on purpose. The website owner purposefully prevented access to the specific page because you do not have the required level of access they defined.

To fix the permissions of a file or folder you have to connect to your website’s directories via SFTP. Then select the file/folder, right-click on it and open the properties. This is how it looks in WinSCP:

In the popup that appears next select the desired value, like 755 and if necessary, check the “Set group, owner, and permissions recursively” so that the setting will be applied to all subdirectories.

Missing index page

Another issue that could cause a 403 error message to show is if a website’s homepage file is not index.php or index.html. This is because it is necessary for an Apache server to auto-index and list all files.

You can check the home directory to see whether this is the case. If so, you should rename the homepage file to index.html or index.php. Alternatively, if you want to keep the current name for some reason, you can create the index.php file and redirect it to your own custom-named file.

In order to do this, you should open the .htaccess file with your favorite editor and insert this line.

Redirect /index.html /my-homepage.html

and replace “my-homepage” with the name of the corresponding file.

Plugin Issues

You might also be seeing the 403 error as a result of a problem or conflict with the plugins that you’re using on your website.

Compatibility issues are quite common in WordPress websites, and this is why we always strongly recommend reviewing them before using and testing them in a staging environment.

Of course, as we have explained before in other articles, the best way to trace the responsible plugin is by deactivating your plugins and then reactivating them one by one.

If you have access to your WordPress admin area, you probably know how to deactivate plugins. Simply log in, head to the Plugins admin screen, and click on the ‘Disable’ link below each. Then refresh your site and see if the error message still appears. If not, you’ve narrowed the fault down to a plugin. You’ll now need to re-enable each plugin and refresh your site each time to see if you can trigger the warning.

If you’ve been locked out of WP-Admin we will need to do this via SFTP. Connect to your WordPress hosting via your favorite SFTP client. Then head to the wp-content/plugins folder and rename the plugin by adding a suffix like “-disabled”. Then, head back to your site and refresh it to check if the error has been resolved. If not, keep disabling the plugins until you resolve the issue.

Firewall and Security Plugins

Normally, firewalls are there to deny access to potentially malicious activity inside the website. It happens though, that some non-malicious activities are flagged as suspicious with a false positive.

Also, it happens on WordPress sites that poorly configured security plugins are a common culprit in WordPress sites receiving the 403 forbidden error. They tend to block IP addresses as a false positive because they flag them as malicious.

The way to detect the plugin responsible is the same as we described above, by deactivating and reactivating your plugins one by one.

The 403 error can also be triggered because the request was prohibited by a firewall rule, which means your IP may be blocked for some reason. For example, this may happen because your IP address belongs to a country that was blocked by the firewall due to security policy.

Malware check

In rare cases, another cause of the 403 error is a malware attack.

You may benefit from the WordPress security plugins, but we cannot guarantee this will fix the issue as it strongly depends on the case.

Otherwise, if you have a backup, you can either restore the website to a previous version that is clean or ask your hosting provider to perform a malware check.

Clear Cache

Sometimes the 403 error may be temporary and related to the browser cache. You might be wondering how cache can be related to this topic.

Simply put, it is possible that the 403 error comes up because the page link was changed on the website and is now different than the page that has been cached in your browser.

To fix this, simply clear the browser cache and cookies.

Pressidium

To sum up, the 403 error triggers we discussed are:

• File permissions
• Blocked country IP
• Firewall rules
• Plugin misconfiguration
• Missing index page
• Browser cache
• Malware

If you host with Pressidium resolving any 403 errors should be straightforward. Not only will our industry-leading Support assist, but from within the Pressidium dashboard, you can fix permissions in seconds and flush the website’s cache, to force the browsers to view fresh content.

Our malware check has proven to be a savior in numerous cases, even when the customer could not identify the corrupted files related to the attack. It will perform and provide insights of the attack, if any, and the support team will mitigate it in minutes.

Conclusion

The 403 Forbidden error does not mean that there is something wrong with your server, but that it is denying your access to some or all of the content you are trying to reach.

We analyzed the most common causes of a 403 error, not only on WordPress websites, and how to fix them. Hopefully, you are now more aware of why it happens and how to troubleshoot such cases.