How to Fix the 403 Forbidden Error in WordPress
The 403 Forbidden error means your web server understood your request but is refusing to fulfil it — you do not have permission to access the requested page or resource. In WordPress, the most common causes are incorrect file permissions, a corrupted .htaccess file, a security plugin blocking access, or your hosting provider’s ModSecurity rules flagging a legitimate request as suspicious. Most cases can be resolved in under 15 minutes.
The 403 error can appear across your entire site, on specific pages only, when trying to access the WordPress admin, or only when performing certain actions like uploading images or saving posts. Where and when it appears is the biggest clue to diagnosing the cause.
What Causes the 403 Forbidden Error in WordPress?
Incorrect file permissions. WordPress files and directories have specific permission requirements. If permissions are set too restrictively, the server cannot read the files needed to display your pages. If they are set too loosely (like 777), some hosting providers will block access as a security precaution.
Corrupted .htaccess file. The .htaccess file controls access rules for your WordPress site on Apache servers. A malformed rule, a plugin that wrote bad directives, or a failed update can corrupt this file and trigger 403 errors across your entire site.
Security plugin blocking access. Security plugins like Wordfence, Sucuri, iThemes Security, or All In One WP Security can block your IP address, restrict access to wp-admin, or block specific actions based on their security rules. If you recently installed or updated a security plugin, this is a likely cause.
Hosting-level ModSecurity rules. Many hosting providers run ModSecurity — a web application firewall that blocks requests matching known attack patterns. Unfortunately, legitimate WordPress actions sometimes trigger these rules, especially when saving posts with code snippets, uploading certain file types, or using plugins that make unusual server requests.
Empty or missing index file. If a directory on your server does not have an index.php or index.html file, and your hosting configuration does not allow directory browsing, accessing that directory returns a 403 error.
IP address blocked. Your IP may have been blocked by your hosting provider’s firewall due to too many failed login attempts, suspicious activity from your IP range, or a shared IP that another user on your network abused.
Step 1: Check File Permissions
Incorrect file permissions are the most common cause of 403 errors in WordPress. Connect to your site via FTP or your hosting file manager and check the permissions on your WordPress directories and files.
The correct permissions for WordPress are all directories should be set to 755 (owner: read/write/execute, group: read/execute, others: read/execute), all files should be set to 644 (owner: read/write, group: read, others: read), and wp-config.php should be set to 600 or 640 for added security.
If any directories are set to 777, change them to 755 — many hosting providers block access to 777 directories as a security measure. If files are set to 600 or lower (except wp-config.php), the web server cannot read them, causing 403 errors.
To fix permissions in bulk, if you have SSH access, you can run these commands from your WordPress root directory:
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
Read our complete guide to WordPress file permissions for a thorough explanation of what each permission level means and why it matters.
Step 2: Reset the .htaccess File
If the 403 error affects your entire site or appears when accessing specific URL patterns, a corrupted .htaccess file is the likely cause.
Via FTP or your hosting file manager, navigate to your WordPress root directory. Rename .htaccess to .htaccess-backup. Reload your site. If the 403 error is gone, the .htaccess file was the problem.
Log in to your WordPress admin and go to Settings → Permalinks. Click “Save Changes” — this regenerates a clean .htaccess file with the default WordPress rewrite rules. If you had custom rules (redirects, security directives, caching rules), add them back one section at a time, testing after each, to identify which rule causes the 403 error.
Step 3: Check Security Plugin Settings
If you recently installed, updated, or reconfigured a security plugin, it may be blocking your access. Common scenarios include your IP address being added to the plugin’s blocklist after failed login attempts, the plugin restricting wp-admin access to specific IP addresses that do not include yours, country-blocking rules preventing access from your location, and the plugin’s firewall rules being too aggressive for your site’s needs.
If you cannot access wp-admin because the security plugin is blocking you, deactivate the plugin via FTP. Rename its folder in /wp-content/plugins/ — for example, rename wordfence to wordfence-disabled. This deactivates the plugin without deleting it. Reload your site. If the 403 error is gone, the security plugin was the cause.
Reactivate the plugin and adjust its settings to prevent the false positive. Check the plugin’s activity log to see exactly what rule was triggered and why. For Wordfence specifically, check the “Blocking” section and “Firewall” → “All Firewall Options” for overly restrictive rules.
Step 4: Check for ModSecurity Blocks
If the 403 error appears only when performing specific actions — saving a post, uploading a file, submitting a form, or using a specific plugin feature — your hosting provider’s ModSecurity rules are likely blocking the request.
ModSecurity examines HTTP requests for patterns that match known attack signatures. Unfortunately, legitimate WordPress actions sometimes match these patterns — especially when posts contain code snippets, when plugins send requests with unusual headers, or when form submissions contain characters that resemble SQL injection attempts.
How to confirm: Check your hosting provider’s error log (usually available in cPanel under “Error Log” or in the server logs section). Look for entries mentioning “ModSecurity” or “mod_security” — these will include the specific rule ID that was triggered.
How to fix: Contact your hosting provider’s support team with the ModSecurity rule ID and explain that it is blocking a legitimate WordPress action. They can either whitelist the specific rule for your site or adjust the ruleset. Some hosting control panels allow you to disable specific ModSecurity rules yourself, but this should be done carefully — these rules exist for security reasons.
Step 5: Verify Your IP Is Not Blocked
If the 403 error affects only you (others can access the site fine), your IP address may be blocked at the server or hosting level.
Check if you can access your site from a different network — try mobile data instead of WiFi, or use a VPN. If the site loads from a different IP, your original IP is blocked.
Common causes include too many failed login attempts triggering an automated IP ban, your hosting provider’s brute force protection blocking your IP range, and a security plugin adding your IP to its blocklist. Contact your hosting provider to check if your IP is on their firewall’s blocklist. If using a security plugin, check its IP blocklist settings after deactivating it via FTP.
Step 6: Check for an Empty Index File
If the 403 error occurs when accessing a specific directory (like /wp-content/uploads/), the directory may lack an index file. Most WordPress directories contain an empty index.php file with the comment “Silence is golden” — this prevents directory browsing and avoids 403 errors on servers configured to deny directory listings.
If the index.php file is missing from the affected directory, create a blank file named index.php containing only <?php // Silence is golden. and upload it to the directory.
Step 7: Contact Your Hosting Provider
If none of the above steps resolve the 403 error, the issue is likely at the server or hosting infrastructure level. Contact your hosting provider with the exact URL that triggers the error, when the error started, what you were doing when it first appeared, and what troubleshooting steps you have already taken. Common hosting-level causes include server firewall rules, WAF (Web Application Firewall) blocking, suspended hosting account (often due to unpaid invoices or policy violations), and server configuration changes by the host.
How to Prevent 403 Errors
Maintain correct file permissions. After any migration, plugin installation, or server change, verify your WordPress file permissions are set correctly (755 for directories, 644 for files).
Keep .htaccess clean. Avoid manually editing .htaccess unless you know what you are doing. Use plugins to manage redirects and security rules rather than editing the file directly.
Configure security plugins carefully. When setting up a security plugin, test each security rule individually. Do not enable aggressive settings like country blocking or strict IP whitelisting without understanding the implications.
Use professional maintenance. Our maintenance service monitors your site 24/7 and catches 403 errors immediately. Our team resolves them as part of your care plan — no per-incident charges, no troubleshooting on your own.
Frequently Asked Questions
The 403 error only happens when I try to upload images. Why?
This is almost always a ModSecurity rule being triggered by the upload request, or incorrect permissions on the /wp-content/uploads/ directory. Check that the uploads directory is set to 755. If permissions are correct, check your hosting error logs for ModSecurity blocks and contact your host to whitelist the triggered rule.
I see a 403 error when trying to save a blog post. What is causing this?
ModSecurity frequently blocks post-save requests when the post content contains code snippets, HTML, JavaScript, or other content that matches attack patterns. Your hosting provider can whitelist the specific ModSecurity rule that is being triggered.
Can a 403 error be caused by WordPress itself?
WordPress core does not typically generate 403 errors. The error comes from the web server (Apache or Nginx) or a security layer between the visitor and WordPress. However, WordPress plugins — particularly security plugins — can instruct the server to return 403 responses for blocked requests.
Will a 403 error affect my search rankings?
If Googlebot encounters 403 errors when trying to crawl your pages, it will stop indexing those pages. Persistent 403 errors will cause affected pages to drop from Google’s index over time. Check Google Search Console for crawl errors to see if Googlebot is encountering 403 responses.
Need Expert Help? Let WP Ministry Handle It
Server permission issues, .htaccess corruption, and ModSecurity conflicts can be tricky to diagnose without experience. If you are not comfortable with FTP access and file permission management, our 24/7 team can resolve 403 errors quickly and prevent them from recurring.
Call (901) 249-0909 for immediate assistance, or submit an emergency ticket. One-time fixes start at $199. Or choose a care plan starting at $35/month for ongoing monitoring, maintenance, and expert support.
Related Articles
How to Fix WordPress 500 Internal Server Error (2026 Guide)