Fixing the Pesky 403 Forbidden Error in WordPress
When your website throws up a 403 error with “Forbidden” plastered across the top in imposing bold letters, it’s just a bit rude, right? I mean, it’s your website and you can’t access it. The nerve!
I mean, you’re the site administrator or even the owner and your site has locked you out.
Fortunately, troubleshooting and fixing this error so you can regain access to your site isn’t too difficult and requires a few minutes and FTP or cPanel access.
Let’s fix it!
Back It Up, Then Restore
Before you do anything, make a full backup of your site. Since troubleshooting a 403 error requires you to make changes to your site behind the scenes, having a backup is important because you can restore your site if things suddenly become worse.
You can check out these other posts for more details on backing up your site:
- How to Backup Your WordPress Website (and Multisite) Using Snapshot
- Introducing WPMU DEV Cloud Backups (Members Get 10GB for Free!)
- Backup Plugins Aren’t About Backing up, They’re About Restoring
- Creating a Manual Backup of WordPress When It’s Down or Locked
- 7 Top Premium and Freemium WordPress Backup Plugins Reviewed
- 11 Best Free Quality Backup Plugins for Protecting Your WordPress Site
- 4 Top WordPress Multisite Backup Solutions Tested and Reviewed
Once your site’s backed up, you can try restoring it with an earlier backup to see if it resolves the error, though, if you don’t have access to the back-end of your site, this may not be possible for you.
If this is the case, you can continue with troubleshooting by following the details below, starting with reviewing your permissions and ending with deactivating plugins and themes.
Often times, troubleshooting calls for the reverse order, but in this case, it’s best to start with steps that aren’t as invasive and aren’t as likely to bring down more of your site.
1. Review User Permissions
Beyond making sure you’re logged in and for the correct account, sometimes changes you or a plugin made could accidentally change the permissions that are assigned to a user account, such as an admin account.
While this may not always be the case, if you’re using a plugin that controls user signups or accounts in some way, there could be a bug or a manual error that accidentally throws you out and locks up your site.
Normally, for plugins that have control over user permissions, you could login and edit the user permissions that have been blocked. If you’re locked out, you could log into your database through phpMyAdmin and edit your admin account manually to include the missing permissions.
For specifics on what you need to edit and where, it’s best to ask the plugin’s developer or consult the plugin’s documentation since each plugin and situation is going to be different.
While this may not always be the case, it could solve your issue if it seems that you’re locked out of a page you know is controlled by a plugin.
Keep in mind that the page you don’t have access to may not actually be something to be alarmed about. For example, if you installed a security plugin and it blocks access to your site’s directory listing, that’s actually a good thing since it lists all the pages and files on your site.
Hackers could use these precise file locations to attack your site directly and without having to spend time guessing or searching for the file they want to target.
If you know neither of these situations applies to you, continue reading for more troubleshooting steps.
2. Check Your File Permissions
Next up in the troubleshooting process is to check your file permissions. Each file in your site is set up to have strict rules on who can view, edit and overall manage the file.
You can think of these rules as a bouncer at a club. The bouncer is instructed to let certain people in and keep out others who are dangerous or don’t have a ticket that allows them access.
These rules are called file permissions they’re set up to check if every visitor has the correct level of, well, permission to access what they requested. If they do, they’re let in and if not, they’re kept out and the latter is where a 403 error can appear.
For details on file permissions and how to set them properly to resolve the 403 error, check out one of our other posts Understanding File Permissions and Using Them to Secure Your Site.
3. Replacing Your .htaccess File
Sometimes your .htaccess file in the root of your site could be the cause of the error. The file could be corrupted or you could have some custom rules in there that have been set up to prevent granting access that maybe you forgot about or you had someone else place in there for you.
One of the ways you can determine if your .htaccess file is the root cause for the error is by deleting it from your site.
Log into cPanel or your favorite FTP client to locate your .htaccess file. Save a copy to your computer for safe keeping since it’s easier and faster to restore one file as opposed to your entire site.
After logging into cPanel, click on File Manager and locate your .htaccess file in the root of your site. Click on it once, then click the Download button toward the top of the page.
Save the file to your computer, then remove it by clicking the Delete button that’s right next to the Download button.
If you don’t see your .htaccess file on the list, it may be hidden. In the File Manager, click on Settings in the top, right corner and select the Show Hidden Files (dotfiles) checkbox. Click Save and you should now be able to see the .htaccess file listed.
For details on backing up and deleting your .htaccess file using FTP, check out our post How to Use FTP Properly with WordPress.
Check your site to see if you’re able to regain access to your site without encountering a 403 error. If it works, you can regenerate a fresh .htaccess file by logging into your admin dashboard and going to Settings > Permalinks, then clicking on Save Changes.
Alternatively, you can manually create your own .htaccess file. For the details, check out our post A Comprehensive Guide to Editing .htaccess for WordPress Security.
If you find that the error persists, you can restore the original .htaccess file you backed up via FTP or cPanel by clicking the Upload button to the left of the Download button in cPanel’s File Manager.
It’s also important to look over your .htaccess file and identify any rules that may be locking you out. You can find examples of rules to look for in our post A Comprehensive Guide to Editing .htaccess for WordPress Security.
Deleting problem rules and saving your changes to the copy on your site should fix the problem and if it doesn’t keep following along and try the steps below.
4. Deactivate Plugins and Themes
If all else fails, try deactivating all your plugins. You can do this via FTP or by going to the File Manager in cPanel.
In the wp-content folder, rename the plugins folder to something else. You can name it anything, but it helps to make it descriptive such as plugins-deactivated or something along those lines so you don’t forget what the folder is and why you renamed it.
Visit your site and check if the error is gone. If it is, then one of the plugins you have activated is causing the issue. You can rename the plugins folder to its original moniker and head to your admin dashboard.
Activate the each plugin one-by-one, checking in between activations to see if your site returns a 403 error. When you see it, the last plugin you last activated is causing the issue.
Contact the developer for a fix or find an alternative that doesn’t cause the error.
If that’s a no-go, try deactivating your themes. While this isn’t the likeliest of causes, many themes come packaged with plugins or require plugins to use certain features and these are likelier causes for the error.
In cPanel or via FTP, go to wp-content/themes/ and rename all of your theme folders in the same fashion as described for plugins above, except for a WordPress default theme.
If you don’t have a default theme installed, you can download it from the WordPress.org theme directory, uncompress the file, then upload it to your themes folder.
Check your site to see if the error is gone and if it is, one of the themes you installed was the culprit. You can rename the folders back to their original names.
Then, go to your admin dashboard and activate each theme one-by-one under Appearance > Themes > All Themes. In between activations, check to see if the error returns. When it does, it means the last theme you activated is causing the error.
Contact the developer for a fix or choose a different theme to use. If you are using a theme that came packaged with plugins, try deleting the theme as well as any plugins you may have installed to use the theme before choosing an alternative.
Maybe You Were Hacked?!
If the pesky 403 error can’t be subdued by now, a possible reason for this could be that your site was hacked and changes were made that result in the error.
This may be the case if you can’t access your site at all or you find that you have fixed the issue, but it keeps coming back mysteriously.
You can check out these other resources to help you determine if you were hacked as well as get details on how to clean up your site:
- Hacked? How to Get Back Into the WordPress Admin
- Help, I’ve Been Hacked! How to Troubleshoot and Fix a WordPress Site
- Getting Constantly Hacked? How to Stop WordPress Backdoor Exploits for Good
- Hacked? How to Clean Your Site and Get Off Google’s Blacklist
As a bonus, check out WordPress Security: The Ultimate 32-Step Checklist to get a free copy of a security checklist to give you pointers on how to secure your site and prevent another attack after everything has been cleaned up.
When you get the 403 error telling you that you’re not allowed to access to your own site, it’s beyond annoying, but these troubleshooting steps should help you find a resolution quickly so you can fix the problem.
If you’re still unable to solve the issue with these tips, ask our support team! We’re here to help with any of your WordPress issues and if you have a WPMU DEV membership, it’s free! If you don’t have one, you can get one for free as well.