A 403 error can be a frustrating interruption to anyone’s day; it can result in exasperated website visitors, even leading to lost traffic and website revenue depending on the affected page. When you (or your site visitors) encounter an unexpected 403, it’s vital to assess the issue promptly in the event that it’s the symptom of a more serious issue on your site.
You might run into a 403 forbidden error when visiting a website directory or page with restricted permissions, as most websites are set up to disallow directory browsing to protect sensitive files. But in some cases, 403’s can be an indicator of compromise — stemming from by or faulty malware, or a damaged .htaccess file on your website.
In this article, we will delve into the different types of 403 forbidden errors, their possible causes, and provide comprehensive steps on how to troubleshoot and resolve these errors and get your website back online.
- What is a 403 error?
- How are 403 errors different from other 4xx errors?
- What causes a 403 error?
- How do I fix a 403 error on my site?
What is a 403 error?
The HTTP 403 Forbidden response status code is a client-side error that signifies the server has received and understood the request but is unable to authorize it.
A 403 Forbidden: you don’t have permission to access this resource error typically occurs when a user does not have the necessary permission to access a specific web page or resource on a web server. This error is usually an issue with the website itself — rather than a problem on the user’s side.
400 error messages can come in all sorts of flavors, but they all mean the same thing. Here are a few variations of 400 errors you might encounter in your browser:
- 403 Forbidden
- HTTP 403
- HTTP Error 403 – Forbidden
- Error 403
- Error 403 – Forbidden
- Forbidden: You don’t have permission to access [directory] on this server
These are only a handful of the possible messages you might find when encountering a 403 error. In fact, some websites even have their own custom 403’s.
How are 403 errors different from other 4xx errors?
To help you understand the difference between generic 400 errors and other types of client-side errors, we’ve outlined some of the common types of 4xx responses you might encounter on your site.
- 400 error: Bad request. This indicates that the server was unable to process the request due to malformed syntax or invalid data provided by the client.
- 401 error: Unauthorized. This signifies that the request requires authentication, and the client has not provided valid credentials or has insufficient access rights.
- 402 error: Payment required. Although not widely used, this error code indicates that the requested resource requires payment before it can be accessed.
- 403 error: Forbidden. The client does not have the necessary permissions to access the requested resource, even if they are authenticated.
- 404 error: Not found. The requested resource could not be found on the server, most typically because the URL is incorrect or the resource has been removed.
- 405 error: Method not allowed. The HTTP method used in the request is not supported for the specified resource.
- 406 error: Not acceptable. The server cannot produce a response that matches the criteria specified by the client in the request headers.
- 407 error: Proxy authentication required. Similar to a 401 error, this status code indicates that the client must authenticate themselves with the proxy server before accessing the requested resource.
- 408 error: Request timeout. The server did not receive a complete request from the client within the allotted time frame.
- 409 error: Conflict. The requested operation could not be completed due to a conflict with the current state of the resource.
- 410 error: Gone. The requested resource is no longer available on the server and has been permanently removed.
- 411 error: Length required. The server requires a valid Content-Length header in the request for the specified resource.
- 412 error: Precondition failed. One or more preconditions specified by the client in the request headers have not been met by the server.
With the exception of a 400 error, the majority of client-side errors provide clear reasons for the status response that can help you pinpoint the issue and resolve it.
What causes a 403 error?
403 Forbidden errors can occur for a myriad of reasons. Some of the most common causes of a 403 error include:
- Restricted directories or pages: Most websites are set up to disallow directory browsing to protect sensitive files or prevent access to restricted areas.
- Incorrect file or folder permissions: If permissions have been incorrectly set or altered to restrict access to resources, visitors may not be able to read the contents of the web page.
- Corrupt .htaccess file: Corrupted or incorrect settings in the .htaccess file can lead to 403 errors, which may occur after making changes to the file or after .
- WordPress plugin issues: A WordPress plugin that is improperly configured, incompatible with another plugin, or affected by a malware infection can trigger 403 errors.
- Missing index page: Your site’s homepage is not one of the web server’s default index files: index.html, index.php, default.asp, index.htm, index.shtml, etc..
- Incorrect IP address: Domain name points to an incorrect IP address.
- Malware infection: Some malware infections are renowned for causing 403 errors on compromised websites.
When encountering a 403 error, users are denied access to particular areas of a website, which might happen when landing on a webpage with a permission error or an empty website directory. Consequently, it is essential to address these errors as soon as possible to ensure a smooth user experience and maintain the website’s reputation.
How do I fix a 403 error on my site?
Sometimes, the simplest solutions can solve the most complex problems – especially when it comes to 403’s on your site. Let’s start with the basics and explore each step in detail.
Continue in chronological order until the issue is resolved.
1. Verify the address and refresh the page
The first thing you should do when encountering a 403 error is double-check the URL you’re trying to access. A common cause of 403 errors is an incorrect URL or a mistyped address. Ensure that the address is spelled correctly and points to the correct resource. If the address is a directory and not a specific web page, you may encounter a 403 error, as some web servers might restrict direct access to directories.
If that doesn’t work, try reloading the page (F5/Ctrl + F5). It’s a simple action, but it can often resolve temporary issues. There’s a possibility that your request was processed during a momentary server hiccup, and refreshing the page might be all it takes to resolve the error.
2. Clear your browser cache
Your browser cache helps speed up the loading time of websites by storing static resources like images, scripts, and stylesheets. However, sometimes discrepancies can occur between the actual version of a page and its cached version, leading to errors such as the 403 Forbidden error.
To resolve this issue, clear your browser’s cache. This action will force your browser to fetch the most recent version of the web page directly from the server.
After clearing your cache, revisit the page to see if the error has been resolved. You can ensure that you are not seeing a cached page on the website by loading the URL with an appended variable like this: example.com?nocache
3. Modify your file and directory permissions
Each file and folder on your website’s server has unique file permissions that control read, write, and execute access. These permissions are represented by a three-digit number, with each digit indicating the level of permission for the owner, group, and others respectively.
Occasionally, file permissions can be accidentally altered or incorrectly set, leading to a 403 Forbidden error. To resolve this issue, you’ll need to connect to your server via FTP/SFTP and review your site’s file permissions.
The ideal file permissions for a WordPress site are:
- Files: 644 or 640
- Directories: 755 or 750
- wp-config.php: 440 or 400
To modify file permissions for your WordPress site:
- Connect to your server using an SFTP client.
- Navigate to your site’s root folder (often called public_html or www).
- Locate the files and folders that need their permissions adjusted, right-click on them, and select File Permissions or Properties.
- Update the permissions as necessary, and be sure to apply these changes recursively if adjusting folder permissions.
4. Check for recently installed or updated software
Investigate to see if any recently installed or upgraded software on your website failed to install or upgrade. To refresh your software, check the vendor’s website for specific instructions.
You’ll also want to audit your website for any new and unfamiliar plugins or themes. If you find anything unusual, this may be an indicator of compromise.
Investigate further to pinpoint:
- What the unfamiliar software or component is
- How long it’s been installed on your site
- Whether or not it’s legitimate
If you encounter anything that looks suspicious, remove the component and scan your website for malware.
Important note: Attackers regularly scan outdated and poorly maintained plugins, themes, and components for known vulnerabilities. Always keep your software patched with the latest security updates to mitigate risk and protect against automated attacks.
5. Check your .htaccess file
The .htaccess file is a configuration file used by the Apache web server to control various aspects of your website, such as redirects, access restrictions, and performance optimizations. Errors in the .htaccess file, like incorrect syntax or conflicting rules, can result in a 403 Forbidden error. The most common source of such errors are incorrectly configured allow/deny rules. Unwanted deny rules are also known to be added to random subdirectories by some types of malware.
Since .htaccess files can be placed in any directory and their directives affect all subdirectories, you should start from the level where you get the 403 error and check for .htaccess files in every directory up to the root.
If you’re a cPanel user, you can follow these steps to troubleshoot the issue:
- Navigate to your cPanel File Manager.
- Go to the public_html directory and locate your .htaccess file. If you only have this error for a specific directory, check if this directory has its own .htaccess file.
- Right click on the file in your cPanel file manager and Download a copy to back it up.
- Once you’ve verified that you now have a backup copy of your .htaccess file, you can right click the file again and select Delete.
- Check your website to see if the 403 error is resolved. If your site now works as expected, your .htaccess file was corrupted and you’ll need to make a new one.
- Log in to your WordPress dashboard and navigate to Settings > Permalinks, then click on Save Changes at the bottom of the page to generate a new .htaccess file for your website.
6. Deactivate your plugins
Faulty or incompatible plugins can cause 403 Forbidden errors on your website. To identify the problematic plugin, you will need to deactivate your plugins and then reactivate them one by one, checking your site after each activation to see if the error reappears.
If you’re unable to access your WordPress dashboard to deactivate your plugins, you can follow these steps to troubleshoot your components:
- Make a backup of your website.
- Connect to your server via SFTP.
- Navigate to the wp-content folder.
- Rename the plugins folder to something like plugins-disabled to simultaneously disable all of your plugins on your site.
- Check your website for issues. If the error is gone, it’s likely that a plugin was causing the issue.
- Rename the folder back to plugins and reactivate your plugins one by one, checking your site after each activation to pinpoint the problematic component.
- Once the culprit is identified, update or delete the plugin as needed.
7. Temporarily deactivate your CDN
To check if the CDN is causing the error, temporarily disable it and visit your site again. Once the issue is resolved, you can re-enable your CDN to continue benefiting from its performance optimizations.
Troubleshooting 403’s with the Sucuri WAF
If you’re a Sucuri WAF user and you’ve implemented Firewall Bypass Prevention for your Firewall, then you will need to add your own IP address (which can be found here) to the FileMatch directive in your .htaccess file to resolve 403 issues:
# BEGIN Sucuri Firewall Bypass Prevention <FilesMatch ".*"> Order deny,allow Deny from all Allow from 220.127.116.11/23 Allow from 18.104.22.168/22 Allow from 22.214.171.124/22 Allow from 126.96.36.199/22 Allow from 2a02:fe80::/29 Allow from INSERT YOUR IP HERE </FilesMatch> # END Sucuri Firewall Bypass Prevention
8. Check for hotlink protection configuration issues
Hotlink protection prevents other websites from using your server’s bandwidth by directly linking to your files. When hotlink protection is enabled, it typically returns a 403 forbidden error to unauthorized requests. However, misconfigured hotlink protection can also block legitimate requests and cause 403 errors.
To resolve this issue, review your hotlink protection settings either in your hosting control panel or CDN settings. Ensure that the protection is correctly configured to block unauthorized requests only. If necessary, update the settings and test your site again to see if the error has been resolved.
9. Disconnect from your VPN
Some websites block access to users connected through a VPN to prevent potential abuse or circumvention of geo-restrictions.
For those using a VPN, try disconnecting from it and accessing the site directly or through another server provided by your VPN service. If the error disappears, the 403 Forbidden error was likely due to your VPN connection.
10. Scan your website for security issues and malware
In some cases, infected components or .htaccess malware can result in 403 errors on your website. You’ll want to perform an extensive scan of your website’s files and server to rule out a compromise or infection causing the error.
11. Reach out to your hosting provider
If none of the above solutions worked for you, it’s time to contact your hosting provider for assistance. They can help you pinpoint the issue, provide guidance on resolving it, and even fix it on your behalf if the problem lies within the server configuration or hosting infrastructure.
Encountering a 403 error on your website can be a frustrating experience, but it’s essential to address the issue promptly to avoid losing valuable traffic and harming your site’s reputation.
By getting a grip on the various forms of 403 errors, their likely causes, and following the comprehensive troubleshooting steps laid out in this post, you’ll be well-equipped to squash these errors and bring your site back on track. Furthermore, always make sure your site is up-to-date and hardened against potential threats.
If you’ve followed these troubleshooting steps and suspect that website malware is the culprit, you can refer to our guide on how to clean up a hacked website or reach out to us for support – we’re always happy to help clean up malware on a website.