While running your website you may come across the 403 Forbidden error message. This message means that there is something set up which is preventing you from accessing a certain portion of the site. This could be file permissions on the page, a .htaccess rule that blocks access or password protection for certain directories. Here you can find a few ways that you may be able to correct the 403 Forbidden issue.
Security Plugins
One thing that can cause you to run into this is rules within your .htaccess file that deny access to different sections of your site. Typically, these rules are going to be put into place by security plugins that you may have installed. The first place to look when you come across this error is your security plugin whether that is iThemes Security or another plugin that you are using. If you aren't sure what section of the plugin would handle this, you can easily test by simply disabling the security plugin and then trying to access the section of the site that previously was not working. If you are able to access it then you will want to begin looking through your security plugin documentation for what could be causing the issue.
File/Folder Permissions
Another of the most common causes of the 403 Forbidden error is incorrect file or folder permissions. Typically, with a website, you want all files and folders to be set with certain permissions. These are 775 for folders and 664 for files. Now there are some files and other extenuating circumstances that can result in those needing to be different, but if you want your files or folder to be viewed via a web browser you're typically going to need those permissions. We have a very in-depth file permission article that you can read and learn how to check and correct those.
Deny orders in .htaccess
There are sections of code that can be added to your .htaccess file which will allow you to prevent access to different parts of your website based on certain parameters. Many security plugins make use of this so before you begin to look into this part of things, it is highly recommended that any security plugins you are using be tested and ruled out as the culprit first. Once you've done that and if you are still having issues, then it is recommended to disable the security plugin while you review the .htaccess file for these Deny orders. You can follow the instructions below for attempting to clear out these rules:
- Disable all of your security plugins
- Access your site via SFTP.
- Navigate to the /web/content folder and download the .htaccess file (You may need to navigate to the specific folder where you are getting the error and check for a .htaccess file there as well)
- Open the .htaccess file in your favorite text editor
- Look through this file for any code that looks like this:
order deny,allow
Now, it is important to note that the rules listed above are just examples and can be different from what you see. You may not even see an order deny, allow or order allow, deny or other portions of this. The main thing that you will be looking for though is Deny from ... The Deny from portion is what is going to block access to the site or page you are looking for.
Deny from All
Allow from 123.123.123.123 - If you find a section with a Deny from rule, you will want to comment it out in order to test if that was the issue. You can comment out a line in the .htaccess file by adding a # in front of the line so if we use the example above it would look like this:
order deny,allow
#Deny from All
Allow from 123.123.123.123 - Once you comment out the line and find no others within the .htaccess file you can go ahead and upload this back to the directory you got it from
- After the file .htaccess file has been uploaded you will then want to test the site and see if you are still receiving the 403 error.
Password Protection
You could also be seeing this if you are currently attempting to use password protected directories. If you are aware of the use of password protected directories, the first step is to ensure that you are using the proper username and password to access it. If you are using what you believe to be the correct credentials, then you will want to remove content that you added in the instructions provided for setting up the password protected directories and trying again if you still wish to use them.