How to Fix a 403 Forbidden Error on Your Site

Are you encountering the frustrating “403 Forbidden” error on your website? This cryptic message can be a roadblock for both website owners and visitors when browsing a website.

The 403 Forbidden error message means that access to a requested resource has been denied – but it doesn’t provide any information on how to fix it.

In this comprehensive guide, we’ll discuss the 403 Forbidden error, explain its meaning, why it happens, and (most importantly) how to resolve a 403 Forbidden error.

We’ll discuss common causes, from pesky .htaccess file issues to plugin conflicts in WordPress, and provide steps to troubleshoot and fix each issue.

Whether you’re a seasoned developer or a website owner with limited technical experience, this guide will give you the knowledge to fix your site’s 403 errors.

Let’s get started!

403 Forbidden Error: What Does It Mean?

The 403 Forbidden error is an HTTP status code a web server returns when serving a web request. It indicates that a client’s request has been received and understood, but the server refuses to authorize the request.

This is a server-side error that signals an explicit denial of access. It is not a client-side issue, as the server determines the client’s identity (or lack thereof) and has concluded that the client does not have the necessary resource access privileges.

This differs from a 401 Unauthorized error, which signifies that valid authentication is required before granting access. A 403 signifies that access is explicitly denied, even if authentication is successful or not required.

The 401 error code is usually used to enforce a security policy. This ensures that only authorized users or processes can access sensitive or restricted content while preventing access to resources that are not meant to be publicly available.

Tip: We recommend checking out the httpstat.us website to explore different HTTP errors firsthand.  

Fixing Common Causes of a 403 Forbidden Error

Many are six main causes of an HTTP 403 forbidden access error on a website. Let’s examine each one and see how to resolve it.

#1 – Browser Settings

Sometimes, a 403 Forbidden error isn’t directly related to file permissions or server settings but to issues with how your browser identifies you to the website. Websites often use authentication credentials, like usernames and passwords, or browser cookies to remember your login status and preferences. The server might interpret your request as unauthorized if these credentials or cookies are corrupted, outdated, or mismatched.

If your browser has stored corrupted or outdated login info, or a site has recently changed how it handles logins, you might see a 403 error.

In these cases, a simple fix is to clear your browser’s cache and cookies, then try logging in again with your most recent username and password. If you still have issues, check that you don’t have any browser extensions that might be interfering with this process.

#2 – Poorly Configured .htaccess File

One of the most common reasons for encountering a 403 error lies within a special file called .htaccess. This file is typically used on Apache web servers, a popular choice for hosting websites. The .htaccess file acts like a rulebook for your website, controlling how visitors access different parts of it. It can manage things such as redirects, password protection, and access permissions.

If your .htaccess file becomes corrupt or wrongly configured, it can mistakenly block access even to visitors who should see your content, triggering a 403 error. If you suspect that the .htaccess file is causing an issue, the first step is usually to simply rename or remove it, which temporarily disables its rules.

You can find your .htaccess file in the public_html directory or your website’s root folder. You can often locate it using an FTP client, which lets you access your website files on the server. If the 403 error disappears, you’ve pinpointed the problem. You can now add the correct configuration to your .htaccess file.

#3 – CDN and VPN Issues

CDNs and VPNs manipulate web traffic, and if they are not configured properly, they can inadvertently trigger a 403 Forbidden error. For instance, CDNs can sometimes have overly strict hotlink protection rules. This can block users from accessing your site or specific resources if they appear to be coming from an unauthorized domain.

VPNs can change your IP address, which can sometimes cause issues with website access, especially if the website has implemented strict security measures or location-based restrictions, triggering a 403 error.

Additionally, misconfigured DNS records, particularly your A records, can cause issues if your domain name doesn’t properly point to the correct server when using a CDN. This could confuse the server and ultimately trigger a 403, because the system won’t be able to resolve the domain to a resource and will then give you an error response.

Troubleshooting Steps:

• Temporarily disable your VPN: This helps determine if your VPN’s IP address is the root cause.
• Temporarily disable your CDN services: This will help you bypass any CDN security measures and allow you to access the source website directly.
• Clear your browser cache and cookies: Outdated cached data can sometimes interfere with your login process.
• Review your DNS records: Specifically check your A records to ensure your domain correctly points to your server or CDN provider’s server.

#4 – File and Directory Permissions

One of the most common reasons why you might encounter a 403 Forbidden error is due to incorrect file permissions and directory permissions on your server.

Every file and folder on a server has a set of permissions that determine who can access them, what they can do with them (read, write, execute), and if the web server can access them. If these permissions are not set correctly, the web server might be blocked from accessing the necessary resources, leading to a 403 error.

In the following example, you can see that all the files and directories have their own permissions:

Every file and directory has an owner in addition to permissions. This is known as file ownership, which defines which user account is associated with and manages these files. The web server needs to have the appropriate permissions on these files and the right user ownership. If these are wrong, the web server will be unable to access the files needed for a webpage to work.

To view and reset file permissions, you can use an FTP/SFTP client, such as FileZilla, or a file manager application within your hosting account’s control panel. This client allows you to connect to your server and see the permissions of individual files and directories.

Files often have a 644 permission code, while directories typically have 755. These numbers represent different owner, group, and public user access levels. If you want to learn more about this topic, you can refer to this excellent resource by Patchstack, which explains how WordPress file permissions work.

To change file permissions, you can use the chmod command in a Linux environment, which you can access via your server’s command line. However, if you are using RunCloud, you can resolve file access issues with the click of a button. Simply navigate to the Tools section of your web application dashboard in RunCloud and click Fix Ownership to resolve file permission errors.

Additionally, you can use the RunCloud File Manager to edit and configure the file permissions for each file and directory individually. To do this, select the file you want to modify, click on the Change Permissions button, and then click on checkboxes to grant/revoke specific permissions.

#5 – Hotlink Protection Misconfiguration

Websites sometimes directly link to content on other websites without permission. Hotlink protection is a security measure designed to prevent other websites from directly linking to and using your site’s resources, such as images, videos, and other files. The idea is to protect your web server resources and prevent other websites from leeching your bandwidth.

When done correctly, hotlink protection ensures that these assets are only used on your own site or authorized domains. However, if hotlink protection is set up incorrectly, it can lead to a 403 Forbidden error even for users trying to access your site. This misconfiguration is often caused by overly restrictive settings, misconfigured rules, or improperly formatted entries within the setup.

Here’s how to check and correct your hotlink protection settings if you suspect they’re causing 403 errors:

• Review your .htaccess code for hotlink protection rules: Access your server’s public_html or root directory and find your .htaccess file. Open the file using a text editor and look for any rules related to hotlinking (look for phrases such as “RewriteCond” or “RewriteRule”). These rules usually have the conditions and actions to take when a hot-linked image is detected. Review these rules and check for any syntax errors.
• Check your Cloudflare security settings or your CDN provider settings: If you use a CDN, such as Cloudflare, look for the hotlink protection settings within their security dashboards. Ensure that the domains that need access are correctly whitelisted and that your settings are not too restrictive.
• Ensure only valid IP addresses are allowed access: Confirm that any IP whitelisting rules are valid and up-to-date. Ensure you are not using a blacklist of IP addresses that your regular users are now using.
• Ensure your domain name is whitelisted: In addition to IP addresses, your domain name needs to be whitelisted and added to the allowed list in your .htaccess configuration, CDN security settings, and firewall. Review and update your settings to include all the domain names where you will link to these assets.

While performing these actions, you should be careful, as a slight misconfiguration can lead to site-wide problems and even leave your server vulnerable to attacks. If you want a simpler and painless way to disable hotlinking and enable CORS requests on your server, then you should use RunCloud.

#6 – WordPress Plugin Conflicts

One of the common causes of a 403 Forbidden error, particularly on WordPress websites, is plugin incompatibilities.

Sometimes, a plugin might have incorrect permissions, conflict with other security plugins, or have misconfigured settings, which can lead to the server refusing to serve a resource. When this occurs, the server can inadvertently block access to your site, resulting in a 403 error that can make it difficult to access your website. Occasionally, the problem isn’t a conflict but a badly coded plugin simply causing problems.

To troubleshoot a plugin-related 403 error, you’ll need to temporarily deactivate all your plugins. You must now use a trial-and-error method by re-activating each of your plugins one by one, refreshing your page after each activation. If the 403 returns, you’ve found the plugin causing the error. Once you find the problematic plugin, you can update or remove it.

Conclusion

In this guide, we have explained how to identify, troubleshoot, and fix HTTP 403 issues. By carefully checking each potential cause discussed in this post, you can significantly reduce the occurrence of 403 errors and ensure a smoother experience for your website’s visitors.

While tackling these errors directly is possible, managing servers and applications manually can be time-consuming and complex.

If you’re looking for a simpler and more efficient way to manage your cloud infrastructure, look no further than RunCloud.

With RunCloud, you can easily deploy, manage, and scale your applications, leaving you free to focus on your business, not the nitty-gritty details of server management. RunCloud’s intuitive interface streamlines server administration, making common tasks like file management, permission setting, and application deployment easy.

Ready to make cloud management easier? Sign up for RunCloud today and experience the difference firsthand.

FAQs on the HTTP 403 Error