How to fix 403 error

Все мы, путешествуя по просторам интернета, натыкаемся на различные ошибки при загрузке сайтов. Одна из них, кстати, достаточно часто встречается – я говорю об ошибке сервера 403 Forbidden Error. Сегодня я рассмотрю причины ее возникновения и способы устранения со стороны владельца сайта и его пользователя.

Что означает ошибка 403 и почему она появляется

Ошибка сервера 403 Forbidden означает ограничение или отсутствие доступа к материалу на странице, которую вы пытаетесь загрузить. Причин ее появления может быть несколько, и вот некоторые из них:

• Формат индексного файла неверен.
• Некорректно выставленные права на папку/файл.
• Файлы были загружены в неправильную папку.

Исправление ошибки сервера 403 Forbidden

Чтобы исправить ошибку сервера 403 Forbidden, обязательно нужен доступ к панели управления вашего хостинга. Все описанные ниже шаги применимы к любой CMS, но примеры будут показаны на основе WordPress.

Проверка индексного файла

Сначала я проверю, правильно ли назван индексный файл. Все символы в его имени должны быть в нижнем регистре. Если хотя бы один символ набран заглавной буквой, возникнет ошибка 403 Forbidden. Но это больше относится к ОС Linux, которой небезразличен регистр.

Еще не стоит забывать, что индексный файл может быть нескольких форматов, в зависимости от конфигураций сайта: index.html, index.htm, или index.php. Кроме того, он должен храниться в папке public_html вашего сайта. Файл может затеряться в другой директории только в том случае, если вы переносили свой сайт.

Любое изменение в папке или файле фиксируется. Чтобы узнать, не стала ли ошибка итогом деятельности злоумышленников, просто проверьте графу «Дата изменения».

Настройка прав доступа

Ошибка 403 Forbidden появляется еще тогда, когда для папки, в которой расположен искомый файл, неправильно установлены права доступа. На все директории должны быть установлены права на владельца. Но есть другие две категории:

• группы пользователей, в числе которых есть и владелец;
• остальные, которые заходят на ваш сайт.

На директории можно устанавливать право на чтение, запись и исполнение.

Так, по умолчанию на все папки должно быть право исполнения для владельца. Изменить их можно через панель управления TimeWeb. Для начала я зайду в раздел «Файловый менеджер», перейду к нужной папке и выделю ее. Далее жму на пункт меню «Файл», «Права доступа».  

Откроется новое окно, где я могу отрегулировать права как для владельца, так и для всех остальных.

Отключение плагинов WordPress

Если даже после всех вышеперечисленных действий ошибка не исчезла, вполне допустимо, что влияние на работу сайта оказано со стороны некоторых плагинов WordPress. Быть может они повреждены или несовместимы с конфигурациями вашего сайта.

Для решения подобной проблемы необходимо просто отключить их. Но сначала надо найти папку с плагинами. Открываю папку своего сайта, перехожу в раздел «wp-content» и нахожу в нем директорию «plugins». Переименовываю папку – выделяю ее, жму на меню «Файл» и выбираю соответствующий пункт. Название можно дать вот такое: «plugins-disable». Данное действие отключит все установленные плагины.

Теперь нужно попробовать вновь загрузить страницу. Если проблема исчезла, значит, какой-то конкретный плагин отвечает за появление ошибки с кодом 403.

Но что делать, если у вас плагин не один, а какой из них влияет на работу сайта – неизвестно? Тогда можно вернуть все как было и провести подобные действия с папками для определенных плагинов. Таким образом, они будут отключаться по отдельности. И при этом каждый раз надо перезагружать страницу и смотреть, как работает сайт. Как только «виновник торжества» найден, следует переустановить его, удалить или найти альтернативу.

Как решить проблему, если вы – пользователь

Выше я рассмотрела способы устранения ошибки 403 Forbidden для владельцев сайта. Теперь же разберу методы исправления в случаях с пользователем.

• Сначала надо убедиться, что проблема заключается именно в вашем устройстве. Внимательно проверьте, правильно ли вы ввели URL сайта. Может, в нем есть лишние символы. Или, наоборот, какие-то символы отсутствуют.
• Попробуйте загрузить страницу с другого устройства. Если на нем все будет нормально, значит, проблема кроется именно в используемом вами девайсе. Если нет – надо перейти к последнему шагу.
• Еще хороший вариант – немного подождать и обновить страницу. Делается это либо кликом по иконке возле адресной строки браузера, либо нажатием на комбинацию Ctrl + F5. Можно и без Ctrl, на ваше усмотрение.
• Если ничего из вышеперечисленного не помогло, надо очистить кэш и cookies. Провести такую процедуру можно через настройки браузера. Для этого необходимо открыть историю просмотров, чтобы через нее перейти к инструменту очистки. Эту же утилиту часто можно найти в настройках, в разделе «Конфиденциальность и безопасность». В новом окне нужно отметить пункты с кэшем и cookies и нажать на кнопку для старта очистки.

• Ошибка 403 Forbidden возникает и тогда, когда пользователь пытается открыть страницу, для доступа к которой сначала надо осуществить вход в систему. Если у вас есть профиль, просто войдите в него и попробуйте вновь загрузить нужную страницу.
• Если вы заходите со смартфона, попробуйте отключить функцию экономии трафика в браузере. Она находится в настройках, в мобильном Google Chrome под нее отведен отдельный раздел. 
• Последний шаг – подождать. Когда ни один способ не помогает, значит, неполадки возникли именно на сайте. Возможно, его владелец уже ищет способы решения проблемы и приступает к их исполнению, но это может занять какое-то время. Пользователям остается только дождаться, когда все работы будут завершены.

Еще одна допустимая причина появления ошибки сервера 403 – доступ к сайту запрещен для определенного региона или страны, в которой вы находитесь. Бывает и такое, что сайт доступен для использования только в одной стране. Если вы используете VPN, попробуйте отключить его и перезагрузите страницу. Вдруг получится все исправить. 

Если ничего из вышеперечисленного не сработало, рекомендуется обратиться к владельцу сайта. Есть вероятность, что никто не знает о возникшей проблеме, и только ваше сообщение может изменить ситуацию. 

Does the term ‘403 forbidden’ seem familiar? This is a client-side error that denies you access to specific areas of a website. You might have seen it when you landed on a webpage with a permission error or an empty website directory.

Why? Because the majority of websites are configured to disallow directory browsing, with an aim to stop unauthorized users from getting into files containing sensitive data.

But if you or users run into a 403 forbidden error on your website, you need to fix it — or you could lose traffic. And that would cost you invaluable new customers over time.

However, as there are various causes for a 403 forbidden error, you have more than one solution to consider.

In this guide, we’ll explore everything you need to know about 403 forbidden errors, including likely causes and several solutions to try.

What Does the 403 Forbidden Error Mean?

The HTTP status code ‘403 forbidden — you don’t have permission to access this resource’ is displayed when a web server recognizes a user’s request but is unable to allow additional access.

What Causes the 403 Forbidden Error?

HTTP 403 forbidden errors are typically triggered by a client-side setup issue, so you should be able to fix it independently. One of the most common reasons for a 403 forbidden error is the settings for a specific folder or file. These determine which users can read, write, or execute that folder or file.

In this case, the site owner may have:

• Changed the settings and denied you from accessing the relevant resources.
• Failed to put the proper permissions in place.

Another common cause is the htaccess file settings, which may simply be wrong or (less simply) corrupt. This could occur after a file has been changed. Fortunately, you can fix this problem in an easy way — just create a new server configuration file.

Other possible causes of a 403 forbidden error include:

• Incorrect IP address: A domain name directs to an incorrect or outdated IP address hosting a site that prevents you from gaining access.
• Issues with a WordPress plugin: WordPress plugins that are incompatible with other plugins or set up incorrectly.
• New link to page: A site owner updates a page’s link, which differs from the version that has been cached.
• Malware: Malware infections can lead a .htaccess file to be in a state of ongoing corruption, so you would need to get rid of the infection before completing a file restoration.
• No index page: Your site’s homepage isn’t named ‘index.php’ or ‘index.html’.

Any of these causes may be responsible for your site’s 403 forbidden error.

Try These Techniques to Solve Your 403 Forbidden Error

The techniques we’ll explore below focus primarily on 403 forbidden errors associated with file access permissions. But alternative options, including malware scans and emptying your browser’s cache, could also fix the problem.

And while we focus on WordPress websites, you can apply our solutions to different types of sites too.

Assess the .htaccess File for Signs of Corruption

The .htaccess file usually remains inside the site’s document root..

Are you using cPanel or Plesk? First, find the File Manager, open the site’s document root directory, then search for the .htaccess file. Not there? In case of cPanel tap ‘Settings’ in the top-right area of the screen, then turn on the ‘Show Hidden Files (dotfiles)’ setting.

The .htaccess file primarily works by adjusting the settings for Apache Web Server, as it’s a server configuration file. But while you’ll find this file on the majority of sites by default, you have to manually make a new file if your site lacks one or it has been accidentally deleted.

In any case, when you find the file, take the following steps to find out whether the 403 forbidden error has been caused by an incorrect configuration:

1. Right-click on the file then tap ‘Download’ to make a backup.
2. Delete the file.
3. Try to access your site — if you can get into it, it’s safe to say that the file was corrupted.
4. If you want to make a new .htaccess file, sign in to your WordPress dashboard then click on the ‘Settings’ option followed by ‘Permalinks’.
5. Tap the ‘Save Changes’ button without making changes.

Completing these steps will create a new .htaccess file for your site. But if this process fails to fix the problem, move on to our next technique.

Resetting Permissions for the File and Directory

Incorrect file or folder permissions could be causing your HTTP 403 issue.

New files carry certain default permissions that determine how you read, write, and execute them. But you can edit permissions for files and folders with FTP. To get started:

1. Set up an FTP client and connect it to your site.
2. Right-click ‘publichtml’ after connecting the FTP client, then select ‘File Attributes’.
3. Input permission ‘755’ in the ‘Numeric value’ field, choose ‘Apply to directories only’, then press ‘ok’.

Generally, with regards to file permission numeric values, ‘755’ relates to folders, ‘644’ relates to static content, while ‘700’ relates to dynamic content.

Next, once you have adjusted your folder permissions, repeat the second and third steps above — but use ‘644’ in the ‘Numeric value’ field instead. Then, click on ‘Apply to files only’.

After you complete these steps, try to access your site to find out if you have fixed the problem.

Deactivating Plugins for WordPress

It’s likely that your 403 forbidden error is caused by a plugin which is faulty or simply incompatible if neither of the previous techniques have worked for you. So, we’ll explore how to disable plugins to discover if they’re behind the error.

Before we begin, though, we want to recommend that you disable all of the plugins at the same time rather than disabling them one by one.

Follow these steps:

1. Use FTP to get into your hosting account, or use the file manager in your hosting account, and navigate to the public_html -> wp-content folder.
2. Find the ‘plugins’ folder.
3. Change the folder’s name to something simple and relevant, such as ‘plugins-disabled’, to disable all of the plugins.

Next, try to access your site — if you don’t see the error again, the problem will have been caused by a plugin which is no longer active.

Change the folder name back to ‘plugins’, then disable one plugin at a time and see if the site continues to run properly. This will make it easy to identify the plugin causing the problem.

Either update or delete the plugin when you find it. But if the 403 forbidden error continues to appear, get in touch with your hosting provider for further help.

Index Page Uploading

Take a look at the name of your site’s homepage: it should be &lsquoindexphp’ or index.html’. Otherwise, you have two options to consider.

One possibility is to name your homepage either ‘index.php’ or ‘index.html’ instead. Alternatively, if you would prefer to retain the current name, just upload an index page to your public_html directory then set up a redirect to your present homepage.

Sounds good? Follow these steps:

1. Use FTP or the file manager in your hosting account to upload an index.php or index.html file to your public_html directory.
2. Find the .htaccess file and open it.
3. Enter this snippet of code to start redirecting the index.php or index.html file to your present homepage: 

Redirect index.html /myhomepagehtml

And make sure you swap ‘nyhomepage.html’ with the actual page name. 

Reconfigure Ownership of the File

Do you use VPS or Linux web hosting? Improper file ownership could be causing your 403 forbidden error problem.

Folders and files may be assigned to a specific Group, Owner, or even both. However, you’ll require SSH access to change ownership within these environments, as well as an SSH terminal for connecting to the VPS.

Use the following SSH command to assess ownership after you connect SSH to your site’s server:

ls -1 [file name]

You should see this (or something similar):

-rwxrw-rw- 1 [owner][group] 20 Jul 22 12:00 filename.txt

Focus on the owner and group elements: the username for your hosting account will be the proper ownership. If the ownership is different, enter the following chown Linux command to change that:

chown [owner][:group] [file name]

Check Your A Record

Another potential reason for your 403 forbidden error is that your domain name is pointing to the incorrect IP address, where you lack permission to view the site’s content. To get around that, verify that your domain name is pointing to the right IP address.

Your domain could still point to your previous web host if you have migrated to a new one and forgot about updating your nameservers. A 403 error status code will be triggered when your previous host terminates your account.

Run a Malware Scan

Your 403 error may be due to malware: your WordPress website may continually add unwanted code to the .htaccess file after becoming infected. The 403 error will continue even if you fix the file using our first suggested method.

So, run a scan of your site to find malware using a WordPress plugin like Wordfence or Sucuri. Most security plugins for WordPress can get rid of malware: you’ll be presented with various options when the plugin locates the infection, such as restoring or deleting the affected files.

Another way to restore your site is to use backup files or, if you’re missing a full backup of the necessary files, a database backup.

Empty Your Cache

Our final recommended technique for fixing your 403 forbidden error involves the cache and cookies in your browser. The cache retains data to help websites load more quickly next time you go back to it. But the real page link could be different from the cached one if a site has been updated.

Additionally, cookies may trigger an error too. That could be the case if you see the error when trying to sign in to a site that you log into frequently.

Fortunately, clearing out both the cache and cookies in your chosen browser could solve the problem. But be prepared: emptying the cache could cause a site to run more slowly the next time you visit it, as the browser will request the site’s files again. Also, emptying your cookies will log you out of any sites that you’re currently signed in to.

If you use Google Chrome like countless other people, take the following steps to clear out your cache and cookies:

1. Tap the ellipsis icon in the top-right area of the screen, then click on ‘Settings’.
2. Locate the ‘Privacy and security’ section, then tap the ‘Clear browsing data’ button.
3. Choose the data-deletion time period via the drop-down menu, then select both ‘Cookies and other site data’ and ‘Cached images and files’.
4. Tap the ‘Clear data’ button to proceed.

After finishing all four steps, go back to your site and sign in if necessary. Hopefully, the 403 forbidden error will be solved!

Conclusion

If you have run into 403 forbidden errors before, you’ll know just how annoying they can be, especially when they prevent you from accessing a website you depend on daily. They’re typically caused by file permission issues, though glitchy plugins and malware infections could be responsible too.

It’s not always easy to identify the reason for 403 errors, but the eight techniques explored in this guide should help you get your site running properly again.

However, there are plenty of HTTP error codes, and the 403 forbidden is just one of them. Website owners may face client- and server-side errors, including 404 and 504 gateway timeouts.

The more you know about these and other errors, the faster you will be able to fix them if they disrupt activity on your site.

Introduction

When a web server denies access to a particular webpage or web content, it displays the 403 Forbidden error. Different web servers report different variations of the 403 Forbidden error.

In this article, you will learn what a 403 error is and how to fix it.

The 403 Forbidden error happens when a web server denies access to a webpage to a user trying to access it trough a web browser. The name «403 error» derives from the HTTP status code that the web server uses to describe that type of error.

There are several variations of the error and several reasons why the web server has denied access. The following sections deal with the different ways the error is displayed and its causes.

Common 403 Error Messages

Like with other errors, webmasters can customize how the 403 error is displayed. Its contents also depend on the web server used. That is why there are many different 403 pages across different websites.

Some common 403 error messages are:

• 403 Forbidden
• HTTP 403
• Forbidden
• HTTP Error 403 – Forbidden
• HTTP Error 403.14 – Forbidden
• Error 403
• Forbidden: You don’t have permission to access [directory] on this server
• Error 403 – Forbidden
• 403 Forbidden Error
• 403 Error

The image above shows an example of a 403 Forbidden error served by an Nginx web server.

What Causes the 403 Forbidden Error

The 403 Forbidden error usually occurs due to access misconfiguration. The misconfiguration involves improper read, write, or execute permission settings for a file or directory.

Possible causes for the 403 Forbidden error are:

• An empty website directory. If there is no index.php or index.html page, the 403 error displays.
• Missing index page. The 403 error may occur if the homepage name isn’t index.html or index.php.
• Permission/ownership errors. Incorrect permission settings or ownership cause the 403 error.
• Incorrect .htaccess file settings. The .htaccess file holds important website configuration settings, and it could be corrupted.
• Malware infection. If your files are infected with malware, it can keep corrupting the .htaccess file.
• Cached outdated webpage. The 403 error comes up if the page link has been updated, which is now different from the cached version.
• Faulty plugin. Improperly configured WordPress plugins or their incompatibility could trigger the 403 error.

The following section deals with different ways of fixing the 403 Forbidden error.

How to Fix the 403 Forbidden Error (Tips for Webmasters)

You can do several things to fix the 403 Forbidden error, depending on whether you are a website visitor or a webmaster.

The following fixes for the 403 Forbidden error are resources for site webmasters:

Check Website Directory

An empty website directory may cause the 403 error. Make sure that the content is in the correct directory on the server.

Depending on the server you are using, the correct directory for your content is:

• For Nginx: /var/www/vhosts/domain.com/httpdocs/
• For Apache: /home/username/public_html/

If there is no such directory, create one.

Add an Index Page

The website homepage by default is index.html or index.php. If there is no such page on your website, the visitors can encounter a 403 Error. Resolve this by uploading an index page to your httpdocs or public_html directory.

If you already have a homepage named other than index, you can rename it or set up a redirect in your .htaccess file to that homepage.

To redirect to your homepage, follow the steps below:

1. Log in to cPanel and navigate to your public_html directory.

2. Right-click the .htaccess file and choose Edit from the dropdown menu.

3. Redirect the index.php or index.html file to your existing homepage by inserting the following code snippet:

redirect /index.html /homepage.html

Replace homepage.html with the actual name of your page.

Check File and Directory Permissions

Each file and directory on your website have permissions that control access to those files and directories. Incorrect file or directory permissions can cause the 403 Forbidden error. The permissions specify who has read or write access to the file or directory in question.

The permissions are represented with numeric values. The general practice is to use:

• 755 for directories
• 644 for static content
• 700 for dynamic content

You can change file permissions recursively with the chmod command. If you prefer a GUI, use an FTP client to change file or directory permissions.

Create a New .htaccess File

A 403 error can be the result of improper .htaccess file configuration. The .htaccess file controls the high-level website configuration.

Follow the steps below to check if the .htaccess file is the cause of the 403 error:

1. Find the .htaccess file via your file management software (e.g., cPanel) or via an sFTP or FTP client.

2. Right-click the .htaccess file and select Download to create a local backup.

3. Next, click Delete to delete the file.

4. Visit your website. If the 403 error no longer appears, it means that the .htaccess file was corrupt.

5. Now you need to generate a new .htaccess file. Log in to your dashboard and click Settings > Permalinks.

6. Don’t make any changes. Just click the Save Changes button to create a new .htaccess file.

Visit your website to check if the error is fixed.

Enable Directory Browsing

If the website shows a 403 error when you’re trying to browse a directory, you may need to enable directory browsing in your web server software. You can turn on directory browsing in the config file. If you don’t feel confident editing the config files yourself, seek help from a web master or your hosting provider.

The following examples show how to enable directory browsing in different web servers:

• IIS Express

1. Open the Web.config file of your project.

2. Add the following tags within <system.webServer>:

<directoryBrowse enabled="true" />
<modules runAllManagedModulesForAllRequests="true" />

• Nginx

Change the autoindex value to on in the config file:

The following is an example of the config file with the on value for autoindex.

server {
 listen 80;
 server_name phoenixnap.com www.phoenixnap.com;
 access_log /var/...........................;
 root /path/to/root;
 location / { index index.php index.html index.htm; }
 location /somedir { autoindex on; }
}

Apache

You have to specify the DirectoryIndex directive in the site’s .conf file (found in /etc/apache2/sites-available on Linux).

Turn on directory browsing in the Options directive. Following is an example of the .conf file with directory browsing turned on:

<Directory /usr/local/apache2/htdocs/listme>
  Options +Indexes
</Directory>

Contact the Hosting Company

The reason for the 403 Forbidden error could be with the hosting company and not with you. If everything else fails to remove the error, get in touch with your hosting company and let them check what could be causing the issue.

Disable WordPress Plugins

Sometimes, a faulty or incompatible plugin is what causes a 403 forbidden error. You can try to fix the error by disabling all plugins to check if the error goes away.

Follow the steps below to disable all plugins:

1. Log into the WP Admin and navigate to Plugins > Installed Plugins.

2. Select all plugins, choose Deactivate from the drop-down menu and click Apply.

3. Try to access your website. If there is no 403 forbidden error, that means that the cause was one of the plugins.

4. Now enable one plugin at a time to determine which one is causing the 403 error. When you find the root of the problem, update or remove the plugin or install an alternative one to resolve the issue.

Check the A Record

One of the reasons for the 403 Forbidden error can be a domain name pointing to the wrong IP address, where you don’t have the permission to view the content. This happens when the A record of a migrated website still points to the old IP address.

Follow the steps below to check if the domain A record points to the right IP address:

1. Log in to cPanel.

2. In the Domains section, click DNS Zone Editor.

3. In the list of DNS records, find the record with the A label in the Type column.

4. Check if the A record IP address in the Record column is correct. If it’s wrong, click Edit to change it.

5. Click Update to finish.

Revisit the website to see if the issue has been resolved.

Scan for Malware

Having malware on your web server can cause the 403 Forbidden error. The malware can keep injecting unwanted lines into the .htaccess file, and that way the error persists even if you generate a new .htaccess file.

Use a security plugin to scan your web server for malware and remove it if any is found. Most plugins also offer actions when detecting malware infected files, such as deleting the infected file or restoring it.

Some of the best security plugins for WordPress are Sucuri, Wordfence, Defender, etc.

How to Fix the 403 Forbidden Error (Tips for Site Visitors)

If you are a site visitor that has encountered the 403 error, below is a list of things you can try to fix the issue.

Check URL

A wrong URL is a common cause of the 403 Forbidden error. Make sure that you’re trying to access an actual webpage instead of a directory.

Many websites don’t allow visitors to browse through directories, so if you are trying to acces a directory, you will likely get a 403 Forbidden error.

Clear History/Cache

Your browser stores cached webpages to load them faster the next time you visit them. Sometimes the website link has been updated, making the actual link different from the cached version. Loading the cached version then results in a 403 error.

The stored cookies on your browser can also cause the 403 error. If the cookies are invalid or corrupted, they can cause improper server authentication. Clearing browser cache and cookies should resolve this issue.

Follow the steps below to clear the cache and cookies on Google Chrome:

1. Click the three-dot button on the top right corner and select Settings.

2. Find the Privacy and security section and click Clear browsing data.

1. In the drop-down menu, select the data deletion time frame.
2. Check the Cookies and other site data and Cached images and files options and click Clear data.

Try to reload the site to see if the problem persists.

Log in

A 403 Forbidden error code could sometimes appear because you need to log in to a website to access a page. If possible, log in with your credentials to gain access to the content.

Reload the Page

Sometimes, reloading the page is the trick to getting around the 403 Forbidden error. Each browser has its own reload button near the address bar. Press Ctrl+F5 on Windows and Linux or Cmd+Shift+R on Mac to reload the page if you prefer using the keyboard.

Try Later

If you aren’t the only one denied access to the website, then the problem is usually with the host. Revisit the site later and see if the issue has been resolved.

Contact Your ISP

If you cannot get around the 403 error on a website, but it works for other people, contact your internet service provider (ISP).

Your IP address could be added to a blocklist, and it is causing the 403 forbidden error. In that case, your ISP cannot help you, and the only way to access the website is to use a VPN.

Conclusion

High website availability provides the best user experience and shows reliability. That is why website owners try to keep their site available at all times and invest in website maintenance services.

Preventing or quickly resolving HTTP errors is crucial if you want to retain your visitors. After reading this guide, you should be able to promptly fix the 403 Forbidden error and keep your business running.

The 403 Forbidden Error is an HTTP response status code that indicates an identified client does not have proper authorization to access the requested content. As with most HTTP response codes, a 403 Forbidden Error can be challenging to diagnose and resolve properly.

With a pool of over 50 potential status codes representing the complex relationship between the client, a web application, a web server, and often multiple third-party web services, determining the cause of a particular status code can be a challenge under the best of circumstances.

This article will examine the 403 Forbidden Error in more detail. We’ll look at what causes this message, along with a handful of tips for diagnosing and debugging your own application. We’ll even examine a number of the most popular content management systems (CMSs) for potential problem areas that could cause your own website to be generating a 403 Forbidden Error. Let’s dive in!

Server- or Client-Side?

All HTTP response status codes in the 4xx category are considered client error responses. These messages contrast with errors in the 5xx category, such as the 502 Bad Gateway Error. 500 errors are considered server error responses.

That said, the appearance of a 4xx error doesn’t necessarily mean the issue has something to do with the client (the web browser or device used to access the application). Oftentimes, if you’re trying to diagnose an issue with your own application, you can ignore most client-side code and components. This includes HTML, cascading style sheets (CSS), client-side JavaScript, etc. This doesn’t apply just to websites, either. Behind the scenes, normal web applications power smartphone apps that use a modern-looking user interface.

Although the 403 Forbidden Error is considered a client error response, you shouldn’t rule out the server as the culprit. The server network object is producing the 403 Error and returning it as the HTTP response code to the client. On the other hand, this doesn’t rule out the client as the actual cause of a 403 Forbidden Error, either. The client might be trying to access an invalid URL, the browser could be failing to send the proper credentials to the site, and so forth. We’ll explore some of these scenarios (and potential solutions) below.

Start With a Thorough Application Backup

Before making changes to your application, make sure to back up your system. This might include a full backup of your application, database, and so forth.

If you have the capability, create a complete copy of the application onto a secondary staging server that isn’t «live» or available to the public. This will allow you to test all potential fixes without threatening the security of your live application.

Diagnosing a 403 Forbidden Error

As previously mentioned, many 403 Forbidden Errors involve the server denying authorization to a client (a web browser, in most cases) that has requested content.

This typically occurs in one of two scenarios:

• The client sent its authentication credentials to the server and the server authenticated that the client was valid. Yet, the server rejected the authorized client from accessing the requested content for some reason.
• The requested content is strictly forbidden for all clients, regardless of authorization. This occurs when attempting to access an invalid or forbidden URL that the web server software has restricted. For example, Apache servers return a 403 Forbidden Error when a client tries to access a URL corresponding to a file system directory.

Troubleshooting on the Client-Side

Since the 403 Forbidden Error is a client error response code, start troubleshooting any potential client-side issues first.

Here are some troubleshooting tips you can try on the browser or device that is giving you problems.

Check the Requested URL

The most common cause of a 403 Forbidden Error is simply inputting an incorrect URL. As discussed before, many tightly secured web servers disallow access to improper URLs. This could be anything from accessing a file directory to accessing a private page meant for other users. Thus, it’s a good idea to double-check the exact URL that is returning the 403 error.

Clear Relevant Cookies

As you may already be aware, HTTP copies store tiny pieces of data on your local device. The website then uses these cookies to to «remember» information abbot a particular browser and/or device.

As you may already be aware, HTTP cookies store tiny pieces of data on your local device. The website then uses these cookies to «remember» information about a particular browser and/or device. Most modern web apps take advantage of these cookies to store user authentication status.

Invalid or corrupted Cookies can cause improper authentication for the server, leading to the 403 Error. This is due to the fact that the client is no longer authenticated to perform this particular request.

In most cases, you should only worry about cookies relevant to the website or application causing issues. The application stores cookies based on where the domain is located. This means you can only remove cookies that match the website domain (e.g. airbrake.io) to keep most other cookies intact. However, if you aren’t experienced with manually removing certain cookies, remove all cookies at once. Not only is this easier, but it’s also a safer option.

Below, we’ve provided a list on how to clear cookies depending on the browser you’re using:

• Google Chrome
• Internet Explorer
• Microsoft Edge
• Mozilla Firefox
• Safari

Clear the Cache

Just like cookies, it’s also possible that the local browser cache could be causing the 403 Forbidden Error to appear.

A cache stores local copies of web content on your device for later use. A browser’s cache can include almost any type of data but typically stores compressed snapshots of webpages, images, and other binary data your browser often accesses. With a local copy of these resources on your device, your browser doesn’t need to spend time or bandwidth downloading this identical data every time you return to the same page. For example, when you open Facebook, there’s a good chance that the content you’re seeing has come from the cache on your device.

Since your browser’s cache stores local copies of web content and resources, it’s possible that a change to the live version of your application is conflicting with the cached version already on your device, which can sometimes produce a 403 Forbidden Error as a result. Try clearing your browser’s cache to see if that fixes the issue.

As with cookies, clearing the cache is browser-dependant, so here are a few links to that relevant documentation for the most popular browsers:

• Google Chrome
• Internet Explorer
• Microsoft Edge
• Mozilla Firefox
• Safari

Log Out and Log In

If the application you’re using has some form of user authentication, the last client-side step to try is to log out and then log back in. If you’ve recently cleared the browser cookies, this should usually log you out, so the next time you try to load the page, just log back in at this point.

In some situations, the application may be running into a problem with your previous session, which is just a string that the server sends to the client to identify that client during future requests. As with other data, your device should have stored the session token (or session string) locally on your device within the cookies. The client then transfers this data to the server during every request. If the server fails to recognize the session token or the server sees this particular token as invalid, this may result in a 403 Error.

But, with most web applications, you can recreate the local session token by logging out and logging back in.

Debugging Common Platforms

If you’re running common software packages on the server that is responding with the 403 Forbidden Error, you may want to start by looking into the stability and functionality of those platforms first. The most common content management systems (CMS) — like WordPress, Joomla!, and Drupal — are all typically well-tested out of the box, but once you start making modifications to the underlying extensions or PHP code (the language in which nearly all modern content management systems are written in), it’s all too easy to cause an unforeseen issue that results in a 403 Error.

Here are a few tips to help you troubleshoot some of these popular software platforms:

Rollback Recent Upgrades

If you recently updated the CMS itself just before the 403 Forbidden Error appeared, you may want to consider rolling back to the previous version you had installed when things were working fine. Similarly, any extensions or modules that you may have recently upgraded can also cause server-side issues, so reverting to previous versions of those may also help.

For assistance with this task, simply Google «downgrade [PLATFORM_NAME]» and follow along. In some cases, however, certain CMSs don’t provide a version downgrade capability, which indicates that they consider the base application, along with each new version released, to be extremely stable and bug-free. This is typically the case for the more popular platforms.

Uninstall New Extensions, Modules, or Plugins

Depending on the particular CMS your application is using, the exact name of these components will be different, but they serve the same purpose across every system: improving the capabilities and features of the platform beyond what it’s normally capable of out of the box. Be warned: such extensions can, more or less, take full control of the system and make virtually any changes, whether it be to the PHP code, HTML, CSS, JavaScript, or database. As such, try uninstalling any recently added extensions. Again, Google the extension name for the official documentation and assistance with this process.

Check for Unexpected Database Changes

Uninstalling a CMS extension does not guarantee that changes will fully revert. This is particularly true for WordPress extensions. These extensions have carte blanche status within an application, which allows them full access rights to the database. With this access, an extension can modify database records that don’t «belong» to the extension itself. That means it can change records created and managed by other extensions of the CMS itself.

In those scenarios, the extension may not know how to revert alterations to database records, so it will ignore such things during uninstallation. Diagnosing such problems can be tricky. Your best course of action, assuming you’re reasonably convinced an extension is the likely culprit for the 403 Forbidden Error, is to open the database and manually look through tables and records that were likely modified by the extension.

Confirm Proper File Permissions

If the application worked fine before and suddenly this error occurs, permissions are not a very likely culprit. However, if modifications were recently made (such as upgrades or installations), it’s possible that file permissions were changed or are otherwise incorrect, which could cause an issue to propagate its way throughout the application and eventually lead to a 403 Forbidden Error. The majority of servers use Unix-based operating systems.

In this Wikipedia article, File-System Permissions, you’ll learn more about how to set up proper permissions for application files and directories to keep your application secure without hindering your applications’ access.

Above all, Google is your friend. Search for specific terms related to your issue, such as the name of your application’s CMS, along with the 403 Forbidden Error. Chances are you’ll find someone (or, perhaps, many someones) who have experienced this issue and have found a solution.

Troubleshooting on the Server-Side

If you’re confident that your CMS isn’t the problem, a 403 Error could be a result of a server-side issue.

Troubleshoot the server with these tips.

Check Your Web Server Configuration

Most modern web servers provide one or more configuration files to adjust server behavior. These configurations are based on a wide range of circumstances. For example, the server may be configured to reject requests to certain directories or URLs, which could result in a 403 Error.

Configuration options for each different type of web server can vary dramatically. Here is a list of a few popular ones to give you some resources to look through:

• Apache
• Nginx
• IIS
• Node.js
• Apache Tomcat

Look Through the Logs

Nearly every web application will keep some form of server-side logs. Application logs contain the history of what the application did, such as which pages were requested, which servers it connected to, which database results it provided, and so forth. Server logs are related to the actual hardware that is running the application. They will often provide details about the health and status of all connected services, or even just the server itself. Google «logs [PLATFORM_NAME]» if you’re using a CMS, or «logs [PROGRAMMING_LANGUAGE]» and «logs [OPERATING_SYSTEM]» if you’re running a custom application, for more information on finding the logs in question.

Check the Database for User Authentication

As you know now, a 403 Error may indicate that the client properly authenticated at some point, but doesn’t have access to the requested resource. It’s worth checking the server to see why it denied the requested resource. Perhaps there’s an issue with the database and can’t authenticate the client.

Verify Server Connectivity

While it may sound simple, it’s entirely possible that a Forbidden Error simply indicates that a server somewhere in the chain is down or unreachable for whatever reason. Most modern applications don’t reside on a single server. Instead, applications may be spread over multiple servers or rely on third-party services to function. If any one of these servers are down for maintenance or otherwise inaccessible, this could result in an error that appears to be from your own application.

Debug Your Application Code or Scripts

If all else fails, manually debug your application by parsing through application and server logs. Ideally, make a copy of the entire application to a local development machine and perform a step-by-step debug process. This will allow you to recreate the exact scenario in which the 403 Forbidden Error occurred and view the application code at the moment something goes wrong.

But, for a faster way to debug, install Airbrake Error & Performance Monitoring. If there’s broken code that’s throwing a 403 Error, Airbrake will find it, and quickly. Create a free Airbrake dev account, today, and for the first 30-days, you’ll have access to unlimited error and performance events.

Note: We published this post in October 2017 and recently updated it in February 2022.

Trying to access the webpage without proper authorization is the major reason for getting 403 Forbidden error on the browser. However, on certain situations, even with the appropriate authorization to access the content, the web browser may fail to send the accurate credentials to the web server. In this case, server will send 403 access forbidden HTTP status code in the response. The status code 403 on the response indicates that the web server denied the access to the content. Depending upon the case, it can be fairly easy or challenging to diagnose and resolve 403 Forbidden error.

Learn how to fix 400 invalid request, 401 unauthorized request, err_connection_reset, err_internet_disconnected, err_network_changed, err_connection_refused, DNS_probe_finished_nxdomain and err_connection_closed errors in Google Chrome.

Different
browsers may interpret the 403 status code from server in different manner. In
general, you will see a clear message indicating that you have been blocked
from accessing the content.

In
addition, the solution to fix the error may vary depending upon whether you are
a normal user or website owner. In both situations, here are the steps you can try
to resolve 403 forbidden HTTP error.

For
Normal Users

As
an user, you will see 403 error message on the browser. You can try to fix the
problem only at browser or computer level.  

1.
Check the URL

Most us access webpages from bookmark, Google Search or from any other offline resources like PDF documents. This can result in accessing the wrong URL while the website owner might have deleted the original page or changed the URL without appropriate redirection.

There
could also be spelling mistakes when you try to type in the URL in address bar.
So, double check the URL and make sure that there are no errors. This is often
a good procedure for resolving 4xx errors. As an example, the URL could be
incomplete, causing your web browser to perform directory browsing of the
website. In most situations, websites disallow directory browsing by default
and you will see 403 forbidden error on the browser.

If
you are the website owner, move on to solution 8 for fixing directory browsing.

2. Check
Permission for Desired Actions

It
is not necessary that after login to the site you can get access to all the
content. Most websites offer free subscription for limited access and still
needs premium account for accessing paid content. In such case, trying to access
the premium content may result in 403 forbidden error. Ensure that you have
proper authorization to access the resource on the website.

3.
Clear Cookies

Website owners distribute cookies with the content to track user activities. Cookies are small pieces of information that stores the specific type of data. For example, cookies store details like session id, login credentials, click tracking, affiliate link tracking and page view tracking. They remind web servers about your preferences and latest status of your devices. Cookies are essential for some websites, because they store your authentication status to inform the web server about your level of authorization. Invalid or corrupted cookies can cause authentication problem and the 403 Forbidden Error would be generated. You can follow the process in our separate article to delete cookies in Google Chrome. The process remains same for most other browsers like Firefox and Edge. On Safari, you can delete cookies from the “History > Clear History…” menu.

4.
Clear Cache

Cache
is an accumulation of data, mostly copies of content of the webpages that you
regularly visit. As an example, if you open Facebook each day, the browser
stores the images, stylesheets and other static data from Facebook. So, the
next time you open Facebook, your browser will only load dynamic data,
resulting in faster performance.

However,
any recent changes on the website will cause conflict with cached data on your browser.
The corrupted and outdated cache on your browser can also cause 403 forbidden
Error. Clearing cache is similar to clearing cookies. When you clear cookies,
select the option to delete all browsing history and cached content. After that
try to access the page and check whether you can access the page.

5.
Logout and Login

Some
users login to the site and never logout for many days without shutting down
the computer. On most websites, the login will be valid for certain time. This
makes your session invalid and the web server can’t recognize your session id. In
such situation you will see 403 forbidden error when trying to access the
content.

If
you did not logout for many days then the simple solution is to logout and
login again. This could help to resolve the issue.  

6.
Location Blocking

Website
owners may intentionally block the IP addresses of specific countries from
accessing their content. This is very common to block traffic from countries
like China and Russia for security reasons. In this situation, you will see
message like below on the browser indicating that the web server blocks your
geographical location.

You
can either contact the webmaster of the site or use VPN to change your IP
address and access the site.

If
you are not able to solve the problem with any of the above listed methods, then
contact the website owner to get support on the issue.

For
Website Owners

As a website owner, you may face or your users may report to you 403 error in different scenarios. Try the following solutions to fix the error.

8. Enable
Directory Browsing

As
explained above, the server may result in 403 error when the users try to
access the partial URL. For example,

Complete
URL: site.com/news/news1.html

Partial
URL: site.com/news/

When
the URL is incomplete, your browser will show the content of the directory
instead. As website owner, it is up to your decision to allow or deny access to
the “news” directory on the server. Though there is nothing wrong about
enabling directory browsing, we recommend disabling for security reason.

If you still want to enable directory browsing, simply add the Options –indexes in your .htaccess file. Alternatively you can disable directory browsing from cPanel or get the support from your webhosting company.

9.
Disable .htaccess File

The.htaccess file is the configuration file that’s located at the root of the website. If there is a misconfiguration in .htaccess file, most possibly you will get 403 forbidden error. One good way to determine whether .htaccess file is causing the problem is by disabling it. An easy way is to rename the .htaccess file to other names, such as .htaccess.bak or .htaccess.001. Follow these steps to access .htaccess file:

• Open your cPanel hosting account and go to the File Manager or similar
  option.
• Find .htaccess file at the root directory of your website.
• Right click and rename it.

Check
you can access the webpage. If 403 error no longer appears, check your
.htaccess file to find any snippet of code that could cause the error.

10.
Check File Permission

Accessing webpages and directories from the server need appropriate file permission. Otherwise, you will see 403 forbidden error when trying to access the page with inappropriate file permission setup in the web server. It is also possible that you have accidentally changed the permission causing problems in accessing some webpages publicly. If users report that some of your webpages cause 403 forbidden Error, check their permission and make sure users get the “read” permission.

11.
Check Server Configurations

Modern
web servers can be quite complex and you can customize the behavior of the
server. As an example, web servers might be configured to reject any request
for specific directories or files. This will generate the 403 forbidden error
when trying to access the directory from browser. 

Let
us explain this case with the popular WordPress content management system. You
can install many plugins to enhance the features of WordPress. However, plugins
related to security and membership can change the file permission of certain
directories to prevent public access. You need to aware of this and work
accordingly.

12.
Check Server Connection

Temporary
unavailability of the server may cause connectivity issues and cause 403
forbidden error. For example, you may be doing some maintenance activity on the
server. Also many applications or websites don’t reside on one physical server;
they might have distributed in a cloud-based network. When facing 403 error,
you can administrators to check whether it is associated with data stored from
a specific server and resolve the problem.

13. Image Hotlinking

Image hotlinking is a process of preventing others from directly linking your images on their site. This helps to save your bandwidth and hosting charges. If you have enabled hotlinking then the images may stop loading on unauthorized domains and show 403 error. You can go to cPanel and add additional domains or disable hotlinking to show the images.

Conclusion

403
forbidden error can happen due to multiple reasons. In simple cases, you can
correct the error by checking the URL and clearing the cache and cookies.
However, this could be a complex task for website owners. You can try the solutions
listed for website owners to resolve the issue.

403 Forbidden Error is yet another HTTP response status code. This one indicates that the user does not have the proper authorization to access the requested content. Typically, the web server will respond with this error when it’s able to understand the request but refuses to deliver for various reasons. The refusal might happen because the server is configured to deny that particular client request or because of improper permission configuration.

The 403 Forbidden error is not exclusive to a certain operating system and can be encountered on every platform capable of accessing the internet.

Depending on the web server you’re accessing, you might the encounter 403 Forbidden error in many different shapes and sizes. But most of the time, you’ll see it in plain text in the following variations:

• HTTP 403
• 403 Forbidden
• Forbidden: You don’t have permission to access [directory] on this server
• Forbidden
• Error 403 – Forbidden
• Http Error 403 – Forbidden
• HTTP Error 403.14 – Forbidden
  

Note: If you’re using Internet Explorer, you might see this error wrapped in a message saying “The website declined to show this webpage”.

Sometime the website owner will customize how the 403 error looks, but those cases are rare.

Server-side or client-side?

If you follow the HTTP documentation, status codes starting with 4xx (403, 404, etc.) are considered to be client error responses. But the fact is, often times, the response code is displayed on the client-side (your web browser) even if the web server is the one that’s causing issues.

Web administrators have the power to limit the access to a certain domain or directory. They can choose to prevent anonymous users from accessing certain contents or impose geographical restrictions.

There’s no guaranteed guide that will tell you for sure if the problem is local or it comes from the web server. When dealing with this situations, the best course of action would be to perform a solid troubleshooting session with the most effective fixes. This guide is aimed at helping regular users fix the 403 Forbidden Error, not webmasters.

If you’re dealing with a 403 Forbidden Error, follow the methods below in order. If you won’t manage to make it go away, at least you’ll know for sure your device is not to blame. Let’s begin.

Method 1: Double-check the URL

I know this sounds very basic, but this is one of the most common culprits of the 403 Forbidden error. Before you do anything else, make sure the URL you’re trying to access is correct. If you’re trying to access a certain file manually by typing out the URL, make sure you specify the actual file name and extension, not just the directory.

Secured websites will not allow directory browsing, so the 403 Forbidden Error is to be expected when trying to access file directories or private pages without knowing the exact file name or it’s extension.

Method 2: Clearing related cookies

HTTP cookies are tiny pieces of data stored on your computer. They speed up various tasks performed by apps and websites by remembering useful information. Most web apps will use cookies to store the user authentication status. Next time the user accesses that web app, the cookie will inform the server of the authorization the client has.

But as with all things, cookies can become corrupted and prevent the authentication from happening as it should. To test this theory, you’ll need to delete the relevant cookies and see if the issue goes away. To point you in the right direction, we’ve put together a quick guide to removing website cookies. See the guide below for a clearer picture:

Note: We used Google Chrome since it’s the most popular PC browser. However, the steps are roughly similar across all browsers. If you can’t find the equivalent steps on your browser, search online for a specific guide.

1. Select the action menu (three-dot) in the bottom-right corner and click on Settings.
   
2. Scroll all the way down to the bottom of the page and click Advanced.
   
3. Scroll down to the bottom of Privacy and security and click on Clear browsing data.
   
4. Acess the drop-down menu near Clear the following items from and set it at the beginning of time. Then, check Cookies and other site data while unchecking everything else. Click on Clear Browsing data and wait for the process to complete.
   

Method 3: Clearing the cache

If you’re still getting the 403 Forbidden Error after deleting the relevant cookies, let’s turn our attention to the cache of your browser. Your browser cache is a storage unit used to retain local copies of various web content. It can store almost any type of data and will spare your browser from having to download the same data every time you visit a particular site.

However, it’s possible that your cached version of the site you’re visiting is conflicting with the live one. Sometimes, this will produce the 403 Forbidden Error as a result. See if that’s the case by clearing your browser’s cache and revisit the website that’s giving you trouble. Here’s a quick guide:

Note: The exact steps of clearing the cache are also browser dependent. If you’re not using Chrome, search online for steps in your browser.

1. Select the action menu (three-dot) in the bottom-right corner and go to More Tools > Clear browsing data.
   
2. Once you’re into the Clear browsing data window, set the top filter to the beginning of time.
   
3. Now check the box next to Cached images and files, then uncheck everything else. Finally, click on Clear Browsing Data.
   

Method 3: Re-authenticate in the web app

If you already cleared the browser cookies, chances are you’ll automatically be prompted to log in again the next time you visit the site that’s displaying the error message.

When you load a web app that requires authentication, the server will send a session token to the client in order to identify it easily during future requests. But if something goes wrong and the server doesn’t recognize the session token or it sees it as invalid, you might see the 403 Forbidden Error as a result.

For most websites with a log-in system, logging out and then logging back in will force the server to create and send a new session token, which will make the 403 Forbidden Error go away.

Method 4: Disable your Extensions, Plugins or Add-ons

Extensions, modules or plugins, etc. (depending on your browser) have the ability to expand the native capabilities of your browser. But some extensions can have more control of your system than bargained for. Some of them will even attempt to make changes to the code, which most serious websites won’t allow.

If you’re experiencing the 403 Forbidden Error, it’s worth a shot to disable all extensions, modules, or whatever they’re called in your browser and reload the web page.

Conclusion

If the methods above have proved to be unsuccessful, you should consider asking the website owner if the issue is on the server-side. But if the website is working normally for other people, you should also ask if they use geo-locations criteria when granting user permissions. There have been cases where huge lists of IP addresses have been blacklisted based on location for security reasons.

Keep in mind that your ISP might also impose restrictions on certain websites to prevent you from downloading illegal stuff. Some ISPs in western and eastern Europe have automatic filters that will blacklist your IP if you’re spending too much time browsing torrent websites. In any case, you’ll only know for sure after contacting your Internet Service Provider.