My WordPress site generates 403 errors

Updated on Reading Time: 5 minutes

On a website, errors can come from multiple sources and are never pleasant, especially when they are intermittent.

Recently, a customer contacted us about a 403 HTTP error problem (not a 500 error problem) on their WordPress site that was occurring randomly!

What is an HTTP status code?

An HTTP code, or HTTP status code, is a numerical response that a web server returns when you (or your browser) make a request to that server. For example, when you type a URL into your browser, it sends a request to the server hosting that URL, and the server responds with an HTTP code.

Your website is a target…

We’re all in hackers’ crosshairs. Get your free analysis of your current situation in less than 5 minutes.

Get my Free Analysis

HTTP codes are essential to the operation of the web, as they provide information about the success or failure of a request. Here is an outline of possible HTTP codes:

  • Codes 2xx: Codes between 200 and 299 are HTTP status codes indicating a successful response. They indicate that the client’s request has been accepted and processed successfully by the server. These codes are generally associated with successful responses in the HTTP protocol, meaning that the request was successfully executed and the requested resource was successfully returned to the client.
  • 3xx codes : HTTP status codes between 300 and 399 are redirection codes. They indicate that the client needs to take further action to complete the request. This usually means that the requested URL has been modified or moved, and the client is redirected to this new location.
  • Codes 4xx : HTTP status codes from 400 to 499 represent errors on the visitor’s side. They indicate that the client’s (visitor’s) request could not be processed, often due to a problem with the request itself. Our famous 403 error falls into this category.
  • Codes 5xx: HTTP status codes 500 to 599 indicate a server error. This means that the server was unable to complete a valid request, usually due to a problem with the server itself.

What is a 403 error?

A 403 error, also known as “Access Forbidden”, is an HTTP status code which means that a user is attempting to access a resource on the web server to which he or she is not authorized. In the case of error 403, the server has understood the request, but refuses to satisfy it due to access restrictions.

403 WordPress error

With this information, all that’s left is to identify why the authorization is refused!

Main causes of a 403 error in WordPress

There are several common reasons that can cause a 403 error on your WordPress site. Here are the most common:

  1. Incorrect file permissions: Files and directories on your web server have permissions that determine who can read, write and execute these files. If these permissions are set incorrectly, this can result in a 403 error.
  2. .htaccess file problems: The .htaccess file is a powerful configuration tool that WordPress uses to manage permalinks and redirection. However, a corrupt or misconfigured .htaccess can result in a 403 error.
  3. Plugin problems: Some plugins can cause 403 errors, particularly those that manage the security aspects (e.g. Wordfence, iThemes Security, etc.) or redirections (e.g. Redirections) of your site.
  4. Firewall or security settings: Strict firewall or security settings can cause 403 errors, especially if they are misconfigured and block access to certain parts of your website.

Note: Solving these problems requires advanced technical knowledge and access to your server or hosting account. If you’re not sure how to proceed, it’s advisable not to improvise and to contact a WordPress expert.

The first 3 causes can often be addressed directly by an experienced developer. On the other hand, if the problem concerns server security, resolution will depend on your type of hosting.

Server security and firewall

Several web hosts offer services using cPanel and WHM (Web Host Manager). These solutions are often equipped with firewalls to reduce the impact of attacks or bots that may consume too many of your account’s resources.

Popular technologies include :

  • ConfigServer Security & Firewall (CSF): Security suite for Linux, very popular with cPanel users. CSF offers a wide range of functions, including IP address blocking, anti-flood protection, country blocking, protection against brute-force attacks, and much more.
  • Advanced Policy Firewall (APF): Although less well-known than CSF, APF is an extremely reliable rule-based firewall iptables (a firewall management system for Linux). APF is easy to use, flexible, and offers solid protection against common attacks.
  • ModSecurity: Open source Web Application Firewall (WAF) that can be used to protect web applications against a variety of attacks, such as SQL injections, brute force attacks and XSS attacks. ModSecurity is often used in combination with other firewalls to provide an additional layer of security.
  • cPHulk: This is a tool integrated into cPanel that offers protection against brute-force attacks. It blocks IP addresses that have too many failed connection attempts over a certain period of time.
  • Evasive (Apache module): This module is an indispensable defense tool against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. It provides real-time protection against attacks by monitoring traffic patterns and blocking suspicious IP addresses. If your WordPress site experiences a sudden increase in traffic or suspicious requests, mod_evasive can help neutralize the threat before it disrupts your site.
  • Imunify360: All-in-one automated security solution for Linux servers. As a security suite that uses machine learning technology, it offers proactive protection to spot the latest threats. Imunify360 includes a host of features, such as advanced intrusion detection, intrusion prevention system (IPS/IDS), web application firewall (WAF), malware protection and many other essential security tools.

It’s important to note that the use of these firewalls requires a certain amount of technical knowledge for correct and efficient configuration. Remember, the security of your WordPress site depends on the robustness of your protection measures.

If you’re not using cPanel/WHM, it’s not uncommon to come across tools such as FirewallD and/or Fail2ban , which act in a similar way.

And our customer?

In our customer’s case, it was ultimately ModSecurity that contained rules that were far too strict for its visitors. The configuration was reviewed and the problems disappeared as if by magic… except that there was nothing magical about it!

Maxime Jobin is the co-founder of SatelliteWP. Automation and performance are his professional passions. He likes to share his expertise and experiences in order to pass on his knowledge to prevent others from making the same mistakes. Focused on efficiency and return on investment, he is an expert in the analysis and development of software solutions.

Similar Posts

Mises à jour de WordPress

Do WordPress updates matter?

The short answer: yes!

The long answer, however, is worth explaining the “why?”. In everyday life, we are constantly being asked to “update” our devices and software. While this can be a tedious task, why is it so important?