First, the bad news — a 403 error code is a polite but firm way of saying, "You are not one of the special few allowed to access this site. Please go home".
Now, the good news is that the "forbidden" part of a 403 error is not as intimidating as it sounds. Although it is frustrating to see this pop up on your screen when you want to reach a website, the issue is more straightforward to fix than you might think.
This detailed guide will show you how to fix 403 error messages across Apache, Nginx, and various other platforms so you won't waste time searching online for solutions or try tweaking your server configurations randomly. Follow these simple instructions to learn how to fix error 403 like a pro!
What Does 403 Forbidden Mean?
Again, what is a 403 error? A 403 error or an HTTP status code “403” indicates that access to a requested resource is forbidden. It occurs when a server refuses to fulfill the request due to insufficient permissions, typically because of restricted access or incorrect credentials.
Apache, Nginx, and other servers store configuration files that handle access requests. When settings limit access to particular users, files, or IP addresses, a 403 error may result.
Why Am I Getting a 403 Forbidden Error?
Now, let’s figure out some common possible reasons for getting a 403 error.
Problems with the Hypertext Access File
A misconfigured .htaccess file can cause an HTTP error 403 when you attempt to access specific site pages or resources.
The .htaccess file is a configuration file used by web servers running the Apache HTTP Server software. It allows you to set directives controlling URL redirection and caching settings. Such directives are key for changing configurations, enhancing security protocols, enabling custom error pages, and shortening loading speed.
Incorrect Directory or File Permissions
File and directory permissions control who can access, modify, or run files and folders on specific servers. Faulty settings may send a 403 error when there should not be an error code.
Permissions are based on three access types – read, write, and execute. Assigned to single and group entities, these access types are defined by numeric notation, symbolic notation, or server configuration settings.
Web Application Firewall
Web application firewalls (WAFs) are website security protocols that monitor and block suspicious traffic. WAFs protect apps from hacking attempts, security breaches, cross-site request forgery, and cross-site scripting (XSS). As a result, you can see a 403 error when a WAF blocks a request misidentified as suspicious behavior.
Other reasons a WAF issues a 403 error include:
- Stringent configurations.
- Location-based limitations.
- User-Agent headers.
User-agent headers are data strings containing information about browsers, devices, and operating system types that web browsers and mobile apps send to identify software requests for analytics. Security systems configured to detect and block hackers may also mistakenly block User-Agent headers and cause a 403 error.
Plugin Conflicts
Faulty interactions between plugins and a website's security settings, access rules, or permissions may produce 403 forbidden errors. The most common plugin conflicts involve:
- Security plugins mistakenly blocking requests when two plugins conflict in changing security settings.
- Plugins requiring folder or file permission modifications to work correctly. Conflicting plugins may alter permissions on the same folders or files, leading to access issues and a 403 error code.
- Plugins that modify .htaccess files to configure access control and security rules often cause a 403 error if files contain conflicting rules. For example, one plugin may deny access to specific directories while another plugin tries to access those same directories.
Access Control List (ACL) Restrictions
An ACL contains a list of permissions assigned to network resources, files, directories, or applications that specify which processes or users can access these objects.
Administrators are responsible for setting up permissions for ACLs to determine allowable actions. In other words, ACLs direct systems to deny or grant access.
Relocating Content to New URLs
Moving content to a new URL may cause 403 errors due to access permissions and security settings. New directories or files could adopt permissions different from the original ones, restricting users or servers from gaining access.
Failure to update server configuration directives or ACLs when content is published under new URLs may produce a 403 forbidden error. Moreover, WAFs and security plugins could interpret URL changes as suspicious behavior and deny access.
How to Fix HTTP 403 Error: Troubleshooting Made Easy
You have several alternative approaches to fixing a 403 error. Sometimes, when you know the exact cause of the error, you just need one. Other times, you may need to try several different fixes to find what works.
Here’s all you can do to get rid of the 403 error on a website.
Fix .htaccess File Issues
Before correcting problems with .htaccess files that trigger 403 forbidden errors, make sure to create backups to existing files that may need to be restored later.
Using your hosting provider's file manager or an FTP client, go to the site's root directory and find the .htaccess file.
Download the .htaccess file in Notepad or another text editor. Open the .htaccess file in the text editor and search for IP-blocking rules. Typically, an IP blocking rule is written as:
- Deny from all
- Deny from 123.456.789
- Deny from 192.168.1.1
- <RequireAll>
- Require all denied
- Require not ip 203.0.113.1
- </RequireAll>
Blocked IP addresses will be listed within the "Require All" or "Deny from" blocks. To remove a blocked IP address, delete or modify the "require" or "deny" line containing the IP address.
Additionally, check the .htaccess file for syntax errors. Look for extra spaces, incorrectly placed brackets, and invalid commands.
Finally, save the changed .htaccess file and upload it to the server. Access the website from various IP addresses to see if the changes eliminated the 403 errors.
Adjust File and Directory Permissions
Sometimes, the meaning behind the ‘403 forbidden’ error may involve the lack of permissions for the user, incorrect owner or group configurations, or disabled directory listings. In this case, you have 3 methods to investigate and fix permission issues.
1. Fixing 403 forbidden error messages using a cPanel
Many web hosting platforms offer cPanel, a simplified file manager that makes it easy for users to manage websites and hosting accounts.
The process starts with logging into the cPanel and navigating to the dashboard. Next:
- Open the File Manager.
- Go to Directories/Files
- In the directory, find the Website files (they are usually stored in the public_ html folder)
- Right-click the directory you want to change. Select the "Change permissions" option.
- For directories, set the permission value to 755. This gives owners read, write, and execute access.
- Right-click on PHP, HTML, and other files individually. Select "Change permissions."
- For files, set the permission value to 644 to give read and write access to owners.
- Save changes before exiting.
The reason for assigning specific values is to prevent too permissive or restrictive permissions that could allow hacking or continued 403 errors.
Also, be aware that a 403 error might occur when the ownership of the files is incorrect. If this turns out to be the case, then the ownership problem has to be adjusted separately.
2. Using FTP Access to Fix a 403 Error Code
Hosting platforms that support FTP access can use File Transfer Protocol (FTP) clients like FileZilla to modify permissions.
- Connect to the website using FTP.
- Go to the Directories/Files and right-click on the folder containing the website's content (usually public_html).
- To change directory permissions, right-click on the directory and select "Permissions". Set the value to 755 for directories.
- To change file permissions, right-click on files and select "File permissions". Set that value to 644 for individual files.
3. Adjusting Permissions Using Secure Shell (SSH)
Hosting platforms that provide SSH access let you quickly modify permissions on files and directories using the command line.
- Use an SSH client (PuTTY, OpenSSH, MobaXterm) to access your server.
- Go to the web directory with this command prompt: cd /path/to/your/website. For example, type: cd/var/www/html or cd/home/username/public_html.
- Use this command to set all directory permission values to 755: find /path/to/your/website -type d -exec chmod 755 {} \;
This command specifies the path to the directory, instructs the "find" command to search for directories only, and sets the 755 value that allows website owners to read, write, and execute changes.
Enable Directory Browsing
Enabling directory browsing can sometimes resolve access issues associated with the HTTP 403 error. Apache and Nginx, two of the most widely used web servers, handle directory browsing differently due to their distinct configurations and architecture.
Apache
- Edit the .htaccess file for specific directories.
- Modify httpd.conf. for the entire server.
- To enable directory browsing, add Options +indexes in .htaccess or <Directory> section in the httpd.conf.
- To restart Apache, run: sudo systemctl restart apache2 or sudo service httpd restart.
Nginx
- Typically, the Nginx configuration file is found in /etc/nginx/sites-available/your-site or /etc/nginx/nginx.conf.
- Locate the server block where you want to permit a directory listing.
- Change or add the location block for the specific director that you want to allow browsing.
IIS (Internet Information Services)
By default, browsing in IIS directories is disabled. To enable directory access, you must modify the settings in IIS Manager by pressing Windows + R, typing inetmgr, and hitting Enter.
- In Connections (left panel), access the server node and click on the directory or website where you want to allow directory browsing.
- Double-click Directory Browsing in the middle panel below the IIS section.
- Go to the Actions section on the right, click Enable, then Apply.
Disable Problematic Plugins
If you're using CMS platforms like WordPress, Magento, or Joomla, some plugins may unintentionally cause a 403 error by interfering with permissions or security settings. Try disabling them one by one to see which one is causing the issue.
Another option is to disable all plugins. You can do it quickly by simply changing the plugins’ folder name in their root folder.
Check DNS Settings
Sometimes, DNS misconfigurations can result in access issues. So one more possible fix is verifying that DNS settings are correct and that your domain is pointing to the correct server.
To verify that the domain A-record is correctly pointing to the server's IP address after a migration:
- Check the A-record using a DNS lookup tool or an online DNS checker
- Locate the ANSWER SECTION to find the A-record
- Compare the IP address returned from the DNS lookup with the server's IP address to see if they match
- After updating DNS records, changes may not take effect immediately. You can use websites like whatsmydns.net to monitor the global A-record from various locations.
Contact Your Hosting Provider
Finally, when troubleshooting 403 error codes using these guidelines fails to correct the error, hosting providers can investigate whether the error affects multiple sites and users on the same server. This could mean an ongoing server-wide issue that only the provider can fix.
Tools for Monitoring Website Accessibility to Avoid Dealing with 403 Errors
Stay on top of potential site accessibility issues by relying on tools such as:
- Google Search Console – A free tool that helps identify website accessibility issues, including 403 errors. It provides detailed insights into site performance, indexing problems, and server-related errors.
- Pingdom – A website monitoring tool that tracks uptime and alerts you when server errors, including 403, occur, allowing you to quickly address them before they impact user experience.
- UptimeRobot – This tool monitors your website's uptime, ensuring you're notified of accessibility issues, including 403 errors, and can resolve them before they affect site visitors.
- Screaming Frog SEO Spider – This tool crawls your website and highlights any server response errors like 403. It helps uncover issues with accessibility that could affect search engine rankings.
- Ahrefs Site Audit – Ahrefs' auditing tool identifies technical SEO issues, including server errors, and offers actionable recommendations for resolving accessibility problems.
- Semrush Site Audit – With its in-depth crawl and reporting features, Semrush helps detect 403 errors and other site performance issues that may hinder user access.
Each of these tools helps maintain your site’s accessibility, preventing user frustration and improving overall SEO performance by ensuring search engines and visitors can access your content seamlessly.
Summing Up
While encountering a 403 error can be frustrating, it's usually a problem that can be easily fixed. By following the steps provided in this guide, you can troubleshoot and resolve the issue on different platforms like Apache and Nginx. With these clear instructions, you'll be able to fix the 403 error and regain access to the websites you need without much hassle. But if you still have issues, feel free to reach out to Amasty's QA experts who'll take care of things for you!
