The easiest way to determine the cause of a 403 error is to use the 'tail' command to tail the Apache error log while replicating the 403 error in your browser by refreshing the page you see the 403 error on:
-bash-4.2# tail -fn0 /etc/apache2/logs/error_log
[Wed May 20 00:45:52.779769 2020] [core:crit] [pid 4292] (13)Permission denied: [client 10.3.17.102:57708] AH00529: /home/user/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/home/error/public_html/' is executable
Permissions & Ownership: The above error indicates an issue with accessing the .htaccess file. When checking files, that Apache reports a permission issue with, we need to ensure they have correct permissions (644 for most files, 755 for most directories) and have the proper ownership (user:user).
Htacess: One other common item that causes 403 errors is .htaccess rules such as 'Options -Indexes' or 'deny from' rules:
-bash-4.2# cat .htaccess
Options -Indexes
deny from all
The 'Options -Indexes' rule prevents a directory from being loaded if there is no 'index' file present, such as an index.php or index.html. The 'deny from' rule will deny access to the website to specific IP addresses, IP ranges, or all depending on the .htaccess rule that is used. When an .htaccess rule is causing a 403 page, the Apache error log will generally resemble this:
[Wed May 20 00:55:52.778579 2020] [access_compat:error] [pid 4292] [client 10.3.17.102:57869] AH01797: client denied by server configuration: /home/user/public_html/
These can be corrected by adding an index file (in the case of Options -Indexes) or removing the 'deny from all' line from the .htaccess file.
ModSecurity is an open-source ‘Web Application Firewall‘ that inspects all HTTP requests and responses. ModSecurity tries to prevent malicious requests and avoid possible code leakages. ModSecurity uses regular expressions that attempt to match frequently used attacks. It will then throw a 403 error if a rule is triggered. Login into your Control Panel and disable ModSecurity for the domain. If this issue resolves the error, contact your web host to have the issue investigated.
Another potential reason for your 403 forbidden error is that your domain name is pointing to the incorrect IP address, where you lack permission to view the site’s content. To get around that, verify that your domain name is pointing to the right IP address. Your domain could still point to your previous web host if you have migrated to a new one and forgot about updating your nameservers. A 403 error status code will be triggered when your previous host terminates your account.
As we mentioned earlier, the 403 Forbidden error can also be caused by a faulty plugin. To determine if this is the case, you’ll need to deactivate your plugins and then reactivate them individually. To start, connect to your site via FileZilla or the file manager in your hosting account. Then, open the wp-content folder in your site’s root directory and locate the plugins folder. Right-click on the plugins folder and select Rename.
Next, give the folder a new name, for example, “plugins_test”. This will automatically deactivate all of your plugins. If you can access your site after renaming the folder, then the 403 Forbidden error was caused by a glitchy plugin. Your next step is to find out which one it is.
First, return to your site’s root directory and rename the plugins folder back to “plugins”. Then, navigate to the Plugins page in your WordPress dashboard and activate the plugins one at a time. Keep doing this until you are able to reproduce the error. Once you’ve identified the faulty plugin, you can either remove it or contact its developer for support.
Like many other HTTP status codes, there are a lot of different variations for how this error code presents itself.
Here are some common variations that you might come across:
Contact us if your is still present after trying the above solutions.