How to Fix WordPress 403 Forbidden Error

by

What Is the WordPress 403 Forbidden Error?

The 403 Forbidden Error means your web server is blocking access to a specific page or resource. Unlike a 404 error (page not found), the server knows the page exists but refuses to show it to you.

You might see messages like:

  • “403 Forbidden”
  • “Access Denied”
  • “You don’t have permission to access this resource”
  • “Forbidden: You don’t have permission to access / on this server”

This error can affect your entire website, just the admin area (wp-admin), or specific pages. It’s frustrating because the site is technically running, but you’re locked out.

Common Causes of 403 Errors

  • Corrupted .htaccess file — Most common cause; rewrite rules are blocking access
  • Incorrect file permissions — WordPress files have wrong permission settings (usually too restrictive)
  • Plugin conflicts — Security plugins blocking legitimate requests
  • Mod_security rules — Server firewall rules flagging normal requests as suspicious
  • Missing index.php file — The main WordPress file is deleted or renamed
  • Hotlink protection — Your hosting’s image protection settings are too aggressive
  • IP blocking — Your IP address is on a blacklist (often after multiple failed login attempts)

Solution 1: Fix the .htaccess File

This fixes about 80% of 403 errors. Here’s the safest method:

  1. Connect to your site via FTP or File Manager
  2. Find .htaccess in your WordPress root directory
  3. Download a backup copy to your computer
  4. Delete the .htaccess file from the server
  5. Go to WordPress admin → Settings → Permalinks
  6. Click “Save Changes” without changing anything

WordPress automatically creates a fresh .htaccess file. Test your site now.

If you can’t access wp-admin, create a new .htaccess manually:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Upload this as .htaccess to your root folder.

Solution 2: Check File Permissions

WordPress needs specific permission settings to work properly.

Correct permissions:

  • Folders: 755
  • Files: 644
  • wp-config.php: 440 or 400 (extra secure)

Via FTP:

  1. Select all WordPress folders
  2. Right-click → File Permissions
  3. Set to 755 (or type “755”)
  4. Check “Apply to directories only”
  5. Click OK

Repeat for files:

  1. Select all files
  2. Set permissions to 644
  3. Check “Apply to files only”

Via SSH (faster method):

cd /home/username/public_html
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 440 wp-config.php

This command sets the right permissions for everything at once. Replace /home/username/public_html with your actual WordPress path.

Solution 3: Disable Security Plugins Temporarily

Security plugins like Wordfence, iThemes Security, or Sucuri sometimes block legitimate access.

Method 1 (via FTP):

  1. Go to /wp-content/plugins/
  2. Rename your security plugin folder (e.g., wordfence → wordfence-disabled)
  3. Test your site
  4. If it works, the plugin was causing the issue

Method 2 (via database):

  1. Access phpMyAdmin
  2. Open your WordPress database
  3. Find the wp_options table
  4. Search for rows containing your security plugin name
  5. Temporarily change option_value from “active” to “inactive”

Once identified, reconfigure the plugin’s firewall settings or switch to an alternative security solution.

Solution 4: Disable Mod_Security Rules

Many hosts use mod_security as a server firewall. Sometimes it blocks normal WordPress actions.

  1. Log in to cPanel or your hosting control panel
  2. Find “ModSecurity” or “Security” section
  3. Click “Disable ModSecurity”
  4. Test your site

If this fixes the error, the issue is with specific mod_security rules. Contact your host to whitelist your WordPress installation. They can disable problematic rules without turning off the entire firewall.

Can’t find ModSecurity settings? Add this to your .htaccess:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Solution 5: Check for Missing Index Files

WordPress needs index.php in the root directory and inside certain folders.

  1. Via FTP, navigate to your WordPress root
  2. Confirm index.php exists
  3. If missing, download WordPress from wordpress.org
  4. Extract the zip file
  5. Upload only the index.php file to your root directory

Also check these folders have index.php:

  • /wp-content/
  • /wp-content/plugins/
  • /wp-content/themes/

These prevent directory browsing and sometimes fix 403 errors on specific sections.

Solution 6: Clear Browser and Server Cache

Cached 403 responses can persist even after fixing the actual problem.

Clear browser cache:

  • Chrome: Ctrl+Shift+Delete → Clear browsing data
  • Firefox: Ctrl+Shift+Delete → Check “Cache” → Clear Now

Clear WordPress cache:

  1. If using a cache plugin (WP Super Cache, W3 Total Cache), go to its settings
  2. Click “Delete Cache” or “Purge All Caches”

Clear server cache:
Contact your hosting provider or check cPanel for “Cache Manager” or similar options.

After clearing everything, use an incognito/private window to test.

Solution 7: Check Your IP Isn’t Blocked

Too many failed login attempts can blacklist your IP address.

  1. Contact your hosting support
  2. Provide your current IP address (Google “what is my IP”)
  3. Ask them to check if your IP is blocked in the server firewall
  4. Request they whitelist your IP

Alternatively, try accessing your site from a different network (mobile data, different WiFi) to confirm if it’s an IP block.

cPanel’s hotlink protection can accidentally block legitimate requests.

  1. Log in to cPanel
  2. Search for “Hotlink Protection”
  3. Either disable it temporarily or add your domain to the allowed list
  4. Save and test

Most people don’t need hotlink protection unless they’re worried about bandwidth theft.

Prevention Tips

  • Keep .htaccess backups before making changes
  • Document permission settings after fresh installations
  • Configure security plugins with caution (don’t use maximum security settings unless needed)
  • Use activity logs to track what changed before the error appeared
  • Set up uptime monitoring to catch 403 errors immediately

Related: If you’re still seeing errors after trying these solutions, the problem might be at the server level. Check out How to Fix WordPress White Screen of Death for additional troubleshooting techniques that can help diagnose deeper issues.

Conclusion

Most WordPress 403 errors come from .htaccess problems or file permissions. Start with those two solutions, which handle about 90% of cases. The rest usually involve security plugins or server-level firewall rules that your hosting provider can help adjust. In my experience, fixing these takes less than 10 minutes once you’ve identified the exact cause.

Leave a Comment