What is the 403 Forbidden Error, and how to fix it?
You may encounter the 403 Forbidden error when visiting any website. This standard error appears in different ways and for other reasons. Accordingly, it can also be fixed in different ways. We will tell you how to fix it as the site administrator and visitor.
What is the 403 Forbidden error?
The 403 Forbidden error is an HTTP status code and one of the standard server responses to a browser request. These can be 404 Not Found, 500 Internal Server Error, 504 Gateway Timeout, and other codes. The server sends one of these codes every time you type a site address in your browser or follow a link. There can be a code even if there is no error and the page is loaded typically. The 403 Forbidden HTTP code means that the visitor does not have enough permissions to view the content.
What may the 403 Forbidden error look like?
The design and text of a standard page with errors differ depending on the web server or the site’s framework. A standard page with the error can also be created in the general site design and have any text on it, not always “403“, “Forbidden,” “403 Forbidden“, or “Error 403“.
- Forbidden;
- 403. That’s an error;
- Error: Access Denied;
- 403 Forbidden – nginx;
- 403 Sorry! Access denied;
- Access forbidden! Error 403;
- HTTP Error 403 – Forbidden, etc.
Why does the 403 Forbidden error occur?
As we have already figured out, the 403 error means that access to content is denied. This often happens for the following reasons:
- Wrong permissions are set for folders and files;
- An invalid user or group is set for folders and files;
- Access is denied in the configuration file of the web server;
- Site files are not uploaded to the root folder on the hosting server;
- The name of the index file is specified incorrectly in the settings;
- A plugin or extension causes the error.
How to fix the 403 Forbidden error as the site administrator?
Suppose the site administrator has restricted access to the site. In this case, you can try to access the site via VPN or proxy, but this can help if the pass is explicitly blocked for your IP address. Access is often blocked for all IP addresses and allowed only for certain ones, such as an office VPN or a dedicated home IP. This is a simple and effective way to protect your site control panel from hacking.
If you’re sure there shouldn’t be an error, then something is probably broken on the hosting where the site is stored. You need access to it to fix the problem. Here’s what you can check on it.
Check the permissions of folders and files
Each folder and file on the hosting has permissions determining who and what they can do with them. There are only three of them:
- Read: you can view the contents of a file or folder;
- Edit: you can make changes to a file and create or delete files in a folder;
- Execute: you can run scripts or execute commands in a folder.
There are three categories of users with permissions:
- Owner: usually the user who created the file, but another user can also be an owner;
- Group: users who are on the list of trusted users for the owner of the file or folder (they have special permissions);
- Other: all other users, such as site visitors.
A three-digit number denotes permissions. Each digit represents the permissions for a particular category of users. There are the standard permissions everything works with:
- Folders — 755 or 750;
- Files — 644 or 640.
The wp-config.php file on WordPress sites is the exception. Its permissions are either 440 or 400.
Check the folder owner
An incorrect owner of files or folders is another popular cause of the 403 error. The permissions on the hosting may be correct, but the file or folder may be owned by another user whose trusted user group does not include the web server. Due to this, the web server may be subject to other users’ permissions, which may be insufficient.
VPS users may encounter this problem because it does not occur on shared hosting. You can assign the web server as the owner of the files and folders to fix the problem. You need to connect to the server via SSH at the command line and use the following command: chown user: groupname/path/to/file.
You need to specify the user name under which the web server is running processes as user and group. This can be apache or httpd, depending on the distribution.
Check the .htaccess file
.htaccess is a file with commands for the Apache web server. It should execute these commands each time it processes a request to all or some specific pages of the site. It can be used to set up a redirect, change web server limits, and even prohibit access to certain pages of the site based on different parameters.
An error may cause the 403 error during command creation, a conflict of several commands, or several .htaccess files. The error can also be caused by special prohibiting commands with the “Deny from …“, “Require IP …“, “R=403“, or “RedirectMatch 403” words.
If you’ve changed something in .htaccess recently, you’ll probably quickly find the command causing the error. If not, the command appeared there after the plugin was installed, or it may have been there before, but this is the first time you have made a request triggering the command. To find out if the .htaccess file causes the error, you need to rename this file. The commands in the file will stop working. If the 403 error disappears, the problem is in one of the directives. Then you will have to search for the needed file manually.
Check the index file in the root folder of the site
Every page has an index file. It is loaded every time someone accesses the page in a browser. Its name is written in the configuration file of the web server. If there is no index file with the name specified in the settings, the web server will try to display the contents of the folder where the files of the page are located. This is often forbidden in the default web server settings, so the 403 error is usual in such situations.
Check if your web server configuration file has the correct index file name. Suppose you only have index.html, but the file is called index.php. Then just add the valid extension to the directive.
On the Apache web server, the configuration files where virtual hosts are usually stored are in the following locations:
- The main httpd.conf configuration file is in /etc/httpd/conf/ or apache.conf is in /etc/apache2/conf/ (depending on the distribution);
- Additional configuration files are in /etc/httpd/conf.d/, /etc/apache2/conf.d/, /etc/apache2/sites-available/, or /etc/apache2/sites-enabled/.
The Nginx web server has configuration files where the virtual hosts are usually stored:
- The main nginx.conf configuration file is in /etc/nginx/;
- Additional configuration files are in /etc/nginx/conf.d/, /etc/nginx/sites-available/, or /etc/nginx/sites-enabled/.
Configuration files can also be stored in other folders if you manage the server with a control panel. For example, /usr/local/apps/apache for Webuzo or /home/user/conf/ for Plesk.
Check ModSecurity settings
ModSecurity is a firewall protecting your site from external threats. It blocks requests with 403 Forbidden HTTP code if it considers them malicious. Sometimes this firewall works when it shouldn’t. For example, a visitor of the site just fills out a form and clicks “Submit,” but Security recognizes it as SQL injection, blocks the action, and shows the 403 error.
It would be best if you disabled the rule, but this can only be done on a VPS or a dedicated server. The provider sets a firewall on shared hosting, and ordinary users do not have access to it. In this case, contact your ISP’s support and ask to disable a specific rule for your website. You can check the logs to see if the error is related to the firewall. They can be found on VPS or a dedicated server in the following paths:
- For Apache: /usr/local/apache/logs/modsec_audit.log;
- For Nginx: /var/log/modsec_audit.log.
These logs are not available on shared hosting. In this case, contact your hosting provider, explain the situation, and ask to check the logs.
Disable plugins
If the previous tips did not help and you have the site on a CMS, try to check plugins. They may be called modules, add-ons, or extensions in different CMSs. Any plugin is someone else’s code you add to your site. There may be a bug causing the error in the code, or several plugins may conflict with each other.
You can disable all plugins on the site to check if a plugin causes the 403 error. This can be done in the file manager in the hosting control panel. Find the “Files” block on the panel’s main page and go to the “File Manager.”
Find the root folder of the site, go to the wp-content folder and rename the plugins folder, for example, to plugins-old. This will disable all plugins. The root folder is usually called public_html for the primary domain.
If the 403 error disappeared after that, rename the plugins folder, open it, and rename the folder with each plugin one by one until you find the plugin that causes the error.
How to fix the error as the user?
A visitor may cause a problem to the site. The user may fix the 403 forbidden server error as follows:
- Check if the URL is correct. A simple typo may be the cause;
- Refresh the page using the Ctrl + F5 key combination. This action is a universal first aid for any problems with the display of the site in the browser. Some incorrect data may be cached, and pressing Ctrl + F5 helps you ignore the browser cache and load the page from the site. You can also clear the cache;
- Clear cookies. Cookies can store outdated authorization data the server does not accept and responds with the error;
- Log in to the site. The folder or file you want to open may be accessible only to authorized users so you see the 403 forbidden error:
- Try logging in through a VPN. Your IP may be blocked on the site for some reason. All visits from your country or region may also be stopped. Try to access the site with an IP address from another country;
- Check from a different device. If you also see the 403 error code when trying to access this page on another computer, the problem is most likely related to the site. Contact the owner of the site;
- Turn off traffic savings if the error 403 only appears on your mobile device. This feature may prevent the site from getting the data it needs to provide access, such as your location;
- Wait and try again later. Sometimes the site has just “moved” to another hosting, and the DNS settings haven’t had time to update;
- Contact your provider. The error may be related to incorrect configuration of their equipment, entering the site on a blacklist, or compliance with prohibitive directives of government agencies.
Cookie and cache problems are the most common causes of this error.
The 403 error indicates a problem with access rights to content, and some cookies are just used to re-authorize the site. For example, browsers remember that you have already logged into your account on some sites due to cookies. The 403 error may occur because something has changed on the server and no longer accepts the old cookies. You can try to access the site in another browser. If it worked, then the problem is related to the browser.
If some of the previous tips helped, but you don’t see the changes, then the page with the error is in the cache. As a rule, such pages are not cached, but different sites have different settings, so it is better to clear the cache.