You’re heading to your WordPress website as usual, but then you see a slightly sinister message:
“403 Forbidden – You don’t have permission to access / on this server.”
You can’t even access your WordPress dashboard. It’s locked out of your control.
Then, you realize if you can’t access your website, your customers probably can’t, either. You’re losing revenue by the second.
Breathe easy. Most of the time, the dreaded WordPress 403 Error code is fairly simple to fix.
And fortunately, Google has led you to the right place – below, we’ll teach you how to troubleshoot and solve the problem with an easy tutorial. If those don’t work, we’ll also show you how to get a professional developer’s help.
If time’s pressing, jump straight to our top 11 fixes and get your site back online.
What Is a 403 Forbidden Error?
The WordPress 403 Error appears when your website’s server forbids you from accessing a particular page or even an entire site.
It tells us the server is confused about who to restrict from accessing your content.
It’s an HTTP status code, a message delivered directly from your server to announce that while it understands your request, it refuses to grant access.
Error variations of the WordPress 403 Forbidden error
You might come across these 403 forbidden WordPress error variations:
- “Forbidden – You don’t have permission to access [directory] on this server.”
- “HTTP Error 403 – Forbidden”
- “403 Forbidden – Access to this resource on the server is denied.”
- “403 Access Denied”
- “Access to [domain] was denied. You don’t have authorization to view this page.”
- “You are not authorized to view this page.”
- “403 – Forbidden: Access is denied.”
- “403 Forbidden – nginx”
- “403 – Forbidden Error – You are not allowed to access this address.”
What Causes the 403 Forbidden Error on WordPress?
Typically, the Forbidden 403 WordPress error occurs when there’s a problem with your website’s permission settings.
Here’s a summary of the main culprits behind this irritating issue.
5 common causes of the WordPress 403 error
|Why am I getting a 403 forbidden error?||In brief|
|1. Your installed plugins are misconfigured||Badly coded or incompatible WordPress plugins can trigger permissions issues (such as security plugins blocking IP addresses)|
|2. Your .htaccess file is corrupted||.htaccess is an Apache file that instructs web servers, and when corrupted, can confuse permission requests|
|3. You have incorrect file permissions||Your file permissions are based on specific numeric values – if incorrect, they can make websites vulnerable|
|4. You need to adjust your server settings||Server features such as hotlink protection and PHP files can cause 403s if not configured properly or updated|
|5. Your site is infected with malware||Malware that corrupts .htaccess and other files can confuse servers|
11 Ways To Fix the WordPress 403 Error
Here’s how to fix that 403 Forbidden error and regain access to your website – but first, a few points to remember.
Before you get started…
Always back up your site and its data. Ideally, you should already be using automated website backups!
Once you’re backed up, prepare to log into your WordPress dashboard if you can still access it.
If you notice you can’t, you can either use the File Manager app in cPanel or an FTP client to make manual changes.
FTP refers to File Transfer Protocol, an alternative system for logging into your website.
We recommend this option, so before you start investigating the error, please install either FileZilla or SmartFTP on your preferred device and log into your site using the FTP details you can find via your website host.
Now, you’re ready to go!
We’ve arranged the following fixes in order of the most common and quickest solutions to those that require a little more assistance from technical support, e.g., WordPress experts or your web hosting provider’s customer care team.
However, if you’re worried about making any technical changes to your website, skip to step 11 and ask for help.
How to fix a 403 forbidden error: The best solutions
|Common fixes||In brief|
|Refresh your website|
|Clear your internet browser cache and cookies|
|Deactivate and reactivate plugins|
|Delete and restore the .htaccess file|
|Fixes to try next||In brief|
|Restore directory file permissions to their defaults|
|Restore a previous backup|
|Disconnect your VPN|
|Scan your site for malware|
|Technical fixes||In brief|
|Check your hotlink protection|
|Deactivate your CDN|
|Call in the cavalry||In brief|
|Find an expert who can help you|
These quick step-by-step instructions are worth following if you’d like to explore the error for yourself – plus, they fix most 403 errors.
1. Refresh your website
Believe it or not, simply refreshing the page you’re trying to access is known to “fix” this issue.
Try the same webpage or dashboard address in a different browser, too. So, if you’re using Google Chrome, try Mozilla Firefox.
Then, double-check the web address you typed in, as there could be a typo.
2. Clear your internet browser cache and cookies
Your browser cache stores data to load pages faster the next time you revisit websites, but it can sometimes cause errors when left to fill.
Emptying browser caches differs from program to program, but let’s assume you’re using Chrome for this step.
At the top right of your Chrome window, click the three dots, as shown here:
From the drop-down menu, hover over “More Tools”:
This brings out a new menu; here, select “Clear Browsing Data.”
The next window brings up a pop-up screen that asks you what data you’d like to delete:
From the “Time range” drop-down menu, select “All time.” Then, check the boxes opposite “Cookies and other site data” and “Cached images and files.”
Click “Clear data,” close your browser, and reopen it before re-entering your website address. If it loads without issue, you’ve fixed the 403.
Remember, your browser cache differs from your website cache, which stores your site data to help improve loading speeds.
3. Deactivate and reactivate plugins
The easiest way to check for defective plugins is by switching them on and off through the WordPress dashboard if you still have access.
Once logged in, head to “Plugins” from the side menu and select “Active” to filter out those you need to toggle.
Deactivate the first plugin in the list, then refresh your website. If there’s no change, go back to the plugins screen and deactivate the next plugin in the list, then refresh your website again.
Repeat this process, and if your website loads without a particular plugin active, you’ve identified what’s causing the problem. Keep the suspicious plugin deactivated and find a replacement.
In the meantime, you can reactivate all your other plugins and refresh your site. It should load as normal.
If you don’t have access to your WordPress dashboard, you need to deactivate and reactivate your plugins through FTP.
Load up your chosen software (e.g., FileZilla) and log in with your FTP details.
Once logged in, you need to select the folder marked “wp-content,” and then select the “plugins” folder. Rename this folder to something simple, such as “plugins_renamed.”
Renaming the folder deactivates all the plugins on your website, so go ahead and refresh it.
If your site loads as normal, you now need to manually switch each of your plugins on and off to find the specific culprit.
Back in your FTP, rename the plugins folder to “plugins” and open it.
Rename the first plugin in the list, and refresh your website. If the 403 error remains, go back and restore the old name.
Repeat this process until your website loads as usual, or proceed to step four.
4. Delete and restore the .htaccess file
Log into FTP and look for “.htaccess” in the root directory of your website – it should appear in the first list of files and folders visible.
Before deleting the file, always make sure to download a copy. Right-click the file and select “Download,” then choose where on your device or cloud storage you want to save it.
Then, right-click the file again and select “Delete.”
Reload your website – if it’s back up again, you now need to restore .htaccess.
Luckily, WordPress can do it for you, and you should have access to the dashboard again.
Log into your WordPress dashboard and head to the “Settings” option on your sidebar before selecting “Permalinks.”
On the permalinks webpage, head to the bottom of the page and click “Save Changes” to push WordPress to regenerate your .htaccess file.
Check that .htaccess is back live by refreshing your RTP software and looking in the root folder.
If you try any further steps to fix the 403, remember to regenerate your .htaccess file once you’re back online.
Fixes to try next
If the simple solutions didn’t work, follow these next steps if you’re confident enough to try more complex fixes on your own.
5. Restore directory file permissions to their defaults
Start by logging into your FTP and head to the “public_html” folder, right-click it, and select “File Attributes.”
Then, a new “Change file attributes” window pops up.
In this window, you change file permissions based on three-digit codes, which your server uses to decide the level of access it grants for “Read,” “Write,” and “Execute” commands.
You don’t need to change the three commands themselves, but you do need to set a three-digit number WordPress recommends for your server to allow access to visitors.
WordPress’s Codex recommends setting either 640 or 644 as the code for file permissions and 750 or 755 for directories. Here’s how to do that:
In the Numeric value box, enter either “750” or “755.” Then, check the box for “Recurse into subdirectories” and select the bullet marked “Apply to directories only.” Click “OK.”
Then, right-click the public folder again and select “File attributes” to bring up the window you just closed.
This time, enter either “640” or “644” in the “Numeric value” box and check “Recurse into subdirectories.” This time, you need to select the bullet marked “Apply to files only,” like so:
Finally, you need to manually change the attributes for wp-config.php. You can find this in your root directory.
Right-click wp-config.php and select “File permissions,” then enter “440” in the “Numeric value” box, and click “OK.”
Refresh your website to see if the 403 error has disappeared.
6. Restore a previous backup
Backing up your website means you roll it back to when it last worked without errors.
Remember, however, that rolling back your site still leaves it vulnerable to the same error in the future.
How you roll back your site depends on your backup provider. For instance, when using UpdraftPlus, you can find older versions of your site through your “Settings” and “UpdraftPlus Backups” options on your WordPress dashboard’s side menu:
For example, this window gives you options to restore previous versions of your site. Select the version saved most recently before the 403 error appeared, but only do so knowing that you might lose data from the period after your last backup.
Once restored, refresh your site. If it’s back online, keep this guide handy if the problem occurs again.
Sometimes, you can also restore backups by logging into your host’s dashboard or user account panel. Follow their process to find the last point saved before the error and restore it.
7. Disconnect your VPN
While this is a relatively easy check, it’s not the most common cause of 403 errors.
That said, your website’s permissions might block specific countries and IP ranges. Therefore, it’s worth checking if you have a VPN session active.
If you use a VPN program:
- Log in as usual
- Check for any active sessions and log them out
- Close the program
- Refresh your browser
If the 403 error disappears, your server is blocking the IP address of your most recent VPN server.
For the absence of doubt and to ensure everyone can access your website, head back to step five and restore file permissions when you can access your dashboard.
8. Scan your site for malware
There’s a chance your .htaccess file is corrupted by malware. So, if you can access WordPress and have a malware scanner installed as a plugin, head to the “Plugins” section of your side menu, and select the software you’d like to use, then run a scan.
If you don’t have access to the dashboard, try using an external malware checker. You could use Sucuri SiteCheck, for instance.
This software finds malware affecting websites at the browser level, however, meaning it doesn’t always suss out deeper issues.
In any case, if you find malware and don’t have access to a plugin that can remove it, it’s wise to speak to your host or a WordPress expert.
Technical fixes (best supported by a professional)
We don’t advise following these processes on your own unless you’re a professional. Contact your web host or an expert in WordPress maintenance to support you.
9. Check your hotlink protection
Hotlink protection is an optional feature you can set up to prevent people from linking back to your images and other media. It prevents them from stealing your bandwidth!
However, there’s a chance your hotlink protector is causing your 403 errors, particularly when configured incorrectly.
If you’ve tried steps one through eight and use hotlink protection, contact a developer who can get to the bottom of the problem.
10. Deactivate your CDN
Your CDN is your content delivery network. It’s a chain of servers that stores and delivers content to devices worldwide at optimum speed.
The best course of action to take if you’ve come this far is to consider switching your CDN off while you investigate the issue further.
However, this isn’t a quick or easy fix on your side. Some web hosts have their own dashboards you can use to toggle CDNs on and off. However, we recommend you work with your host or external support staff if your CDN is causing the 403 error.
Call in the cavalry
Here’s what to do if you’ve exhausted all the steps so far.
11. Find a WordPress expert who can help you
Some of the steps above ideally require you to contact your web host, who should have a few ways for you to reach out.
Let’s use Hostinger as an example. Log into their “Members Area” and click the question mark “help” icon in the top-right:
You can then either use the host’s Help Center, ask questions to find support shortcuts, or chat with the Personal Assistant:
You can ask the AI advisor questions regarding the 403 error and request human support.
Include as much information as possible, including the error message, what you’ve tried to fix the problem, and if you use anything other than WordPress to build and maintain your site.
Alternatively, StateWP’s site management app, Proto, helps you reach experts without needing to wade through help center topics and chatbots.
Proto helps you manage your WordPress site from a single location, meaning you can check site vitals and bugs and raise service requests should problems arise.
For example, if you see the 403 error, log into your Proto account and head down to “Service Requests” in your side menu.
Click “Submit a Request” and share as much information about your error as possible with the team.
From here, you can track the progress of your request in the app. StateWP aims to reverse errors within a day of receiving requests. It’s the quickest and easiest way to get your website back in business.
Banish The WordPress 403 Error and Get Back Online
The WordPress 403 error might be a common sight for some site owners, but that doesn’t make it any less irritating.
It’s all to do with permissions. Your website’s server thinks someone’s trying to access your content without the proper authority. It’s trying to help you. It’s just a little confused.
Thankfully, it’s often easy enough to fix this error by checking your plugins, your .htaccess file, or simply refreshing your browser.
However, if you continue to struggle to get your WordPress site back up and running, or you’re worried about making a mistake, make sure you have experts you can contact in a tight spot.
Proto from StateWP lets you raise flags as soon as problems arise, and you’re typically back up and running again within a day, if not sooner.
If we’ve helped you fix a WordPress 403 forbidden error and you’re back online, great! Now prepare yourself for future issues by learning more about updating your plugins manually.
If nothing else, let this brush with the 403 inspire you to create your own website maintenance checklist and stick to it.