From Wikipedia, the free encyclopedia
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it.
Specifications[edit]
HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account.[a]
Error 403: «The server understood the request, but is refusing to authorize it.» (RFC 7231)[1]
Error 401: «The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.» (RFC 2616)[2]
The Apache web server returns 403 Forbidden in response to requests for URL[3] paths that corresponded to file system directories when directory listings have been disabled in the server and there is no Directory Index directive to specify an existing file to be returned to the browser. Some administrators configure the Mod proxy extension to Apache to block such requests and this will also return 403 Forbidden. Microsoft IIS responds in the same way when directory list
ings are denied in that server. In WebDAV, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header or issued a Depth header of infinity.[3]
Substatus error codes for IIS[edit]
The following nonstandard codes are returned by Microsoft’s Internet Information Services, and are not officially recognized by IANA.
- 403.1 – Execute access forbidden
- 403.2 – Read access forbidden
- 403.3 – Write access forbidden
- 403.4 – SSL required
- 403.5 – SSL 128 required
- 403.6 – IP address rejected
- 403.7 – Client certificate required
- 403.8 – Site access denied
- 403.9 – Too many users
- 403.10 – Invalid configuration
- 403.11 – Password change
- 403.12 – Mapper denied access
- 403.13 – Client certificate revoked
- 403.14 – Directory listing denied
- 403.15 – Client Access Licenses exceeded
- 403.16 – Client certificate is untrusted or invalid
- 403.17 – Client certificate has expired or is not yet valid
- 403.18 – Cannot execute request from that application pool
- 403.19 – Cannot execute CGIs for the client in this application pool
- 403.20 – Passport logon failed
- 403.21 – Source access denied
- 403.22 – Infinite depth is denied
- 403.502 – Too many requests from the same client IP; Dynamic IP Restriction limit reached
- 403.503 – Rejected due to IP address restriction
See also[edit]
- List of HTTP status codes
- URL redirection
Notes[edit]
- ^ See #403 substatus error codes for IIS for possible reasons of why a webserver may refuse to fulfill a request.
References[edit]
- ^
Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF. sec. 6.5.3. doi:10.17487/RFC7231. RFC 7231. - ^ Nielsen, Henrik; Mogul, Jeffrey; Masinter, Larry M.; Fielding, Roy T.; Gettys, Jim; Leach, Paul J.; Berners-Lee, Tim (June 1999). «RFC 2616 — Hypertext Transfer Protocol — HTTP/1.1». Tools.ietf.org. doi:10.17487/RFC2616. Retrieved 2018-04-09.
- ^ a b «HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)». IETF. June 2007. Archived from the original on March 3, 2016. Retrieved January 12, 2016.
External links[edit]
- Apache Module mod_proxy – Forward
- Working with SELinux Contexts Labeling files
- Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
Все мы, путешествуя по просторам интернета, натыкаемся на различные ошибки при загрузке сайтов. Одна из них, кстати, достаточно часто встречается – я говорю об ошибке сервера 403 Forbidden Error. Сегодня я рассмотрю причины ее возникновения и способы устранения со стороны владельца сайта и его пользователя.
Что означает ошибка 403 и почему она появляется
Ошибка сервера 403 Forbidden означает ограничение или отсутствие доступа к материалу на странице, которую вы пытаетесь загрузить. Причин ее появления может быть несколько, и вот некоторые из них:
- Формат индексного файла неверен.
- Некорректно выставленные права на папку/файл.
- Файлы были загружены в неправильную папку.
Комьюнити теперь в Телеграм
Подпишитесь и будьте в курсе последних IT-новостей
Подписаться
Исправление ошибки сервера 403 Forbidden
Чтобы исправить ошибку сервера 403 Forbidden, обязательно нужен доступ к панели управления вашего хостинга. Все описанные ниже шаги применимы к любой CMS, но примеры будут показаны на основе WordPress.
Проверка индексного файла
Сначала я проверю, правильно ли назван индексный файл. Все символы в его имени должны быть в нижнем регистре. Если хотя бы один символ набран заглавной буквой, возникнет ошибка 403 Forbidden. Но это больше относится к ОС Linux, которой небезразличен регистр.
Еще не стоит забывать, что индексный файл может быть нескольких форматов, в зависимости от конфигураций сайта: index.html, index.htm, или index.php. Кроме того, он должен храниться в папке public_html вашего сайта. Файл может затеряться в другой директории только в том случае, если вы переносили свой сайт.
Любое изменение в папке или файле фиксируется. Чтобы узнать, не стала ли ошибка итогом деятельности злоумышленников, просто проверьте графу «Дата изменения».
Настройка прав доступа
Ошибка 403 Forbidden появляется еще тогда, когда для папки, в которой расположен искомый файл, неправильно установлены права доступа. На все директории должны быть установлены права на владельца. Но есть другие две категории:
- группы пользователей, в числе которых есть и владелец;
- остальные, которые заходят на ваш сайт.
На директории можно устанавливать право на чтение, запись и исполнение.
Так, по умолчанию на все папки должно быть право исполнения для владельца. Изменить их можно через панель управления TimeWeb. Для начала я зайду в раздел «Файловый менеджер», перейду к нужной папке и выделю ее. Далее жму на пункт меню «Файл», «Права доступа».
Откроется новое окно, где я могу отрегулировать права как для владельца, так и для всех остальных.
Отключение плагинов WordPress
Если даже после всех вышеперечисленных действий ошибка не исчезла, вполне допустимо, что влияние на работу сайта оказано со стороны некоторых плагинов WordPress. Быть может они повреждены или несовместимы с конфигурациями вашего сайта.
Для решения подобной проблемы необходимо просто отключить их. Но сначала надо найти папку с плагинами. Открываю папку своего сайта, перехожу в раздел «wp-content» и нахожу в нем директорию «plugins». Переименовываю папку – выделяю ее, жму на меню «Файл» и выбираю соответствующий пункт. Название можно дать вот такое: «plugins-disable». Данное действие отключит все установленные плагины.
Теперь нужно попробовать вновь загрузить страницу. Если проблема исчезла, значит, какой-то конкретный плагин отвечает за появление ошибки с кодом 403.
Но что делать, если у вас плагин не один, а какой из них влияет на работу сайта – неизвестно? Тогда можно вернуть все как было и провести подобные действия с папками для определенных плагинов. Таким образом, они будут отключаться по отдельности. И при этом каждый раз надо перезагружать страницу и смотреть, как работает сайт. Как только «виновник торжества» найден, следует переустановить его, удалить или найти альтернативу.
Читайте также
Как решить проблему, если вы – пользователь
Выше я рассмотрела способы устранения ошибки 403 Forbidden для владельцев сайта. Теперь же разберу методы исправления в случаях с пользователем.
- Сначала надо убедиться, что проблема заключается именно в вашем устройстве. Внимательно проверьте, правильно ли вы ввели URL сайта. Может, в нем есть лишние символы. Или, наоборот, какие-то символы отсутствуют.
- Попробуйте загрузить страницу с другого устройства. Если на нем все будет нормально, значит, проблема кроется именно в используемом вами девайсе. Если нет – надо перейти к последнему шагу.
- Еще хороший вариант – немного подождать и обновить страницу. Делается это либо кликом по иконке возле адресной строки браузера, либо нажатием на комбинацию Ctrl + F5. Можно и без Ctrl, на ваше усмотрение.
- Если ничего из вышеперечисленного не помогло, надо очистить кэш и cookies. Провести такую процедуру можно через настройки браузера. Для этого необходимо открыть историю просмотров, чтобы через нее перейти к инструменту очистки. Эту же утилиту часто можно найти в настройках, в разделе «Конфиденциальность и безопасность». В новом окне нужно отметить пункты с кэшем и cookies и нажать на кнопку для старта очистки.
- Ошибка 403 Forbidden возникает и тогда, когда пользователь пытается открыть страницу, для доступа к которой сначала надо осуществить вход в систему. Если у вас есть профиль, просто войдите в него и попробуйте вновь загрузить нужную страницу.
- Если вы заходите со смартфона, попробуйте отключить функцию экономии трафика в браузере. Она находится в настройках, в мобильном Google Chrome под нее отведен отдельный раздел.
- Последний шаг – подождать. Когда ни один способ не помогает, значит, неполадки возникли именно на сайте. Возможно, его владелец уже ищет способы решения проблемы и приступает к их исполнению, но это может занять какое-то время. Пользователям остается только дождаться, когда все работы будут завершены.
Еще одна допустимая причина появления ошибки сервера 403 – доступ к сайту запрещен для определенного региона или страны, в которой вы находитесь. Бывает и такое, что сайт доступен для использования только в одной стране. Если вы используете VPN, попробуйте отключить его и перезагрузите страницу. Вдруг получится все исправить.
Если ничего из вышеперечисленного не сработало, рекомендуется обратиться к владельцу сайта. Есть вероятность, что никто не знает о возникшей проблеме, и только ваше сообщение может изменить ситуацию.
A clear explanation from Daniel Irvine [original link]:
There’s a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.
Receiving a 401 response is the server telling you, “you aren’t
authenticated–either not authenticated at all or authenticated
incorrectly–but please reauthenticate and try again.” To help you out,
it will always include a WWW-Authenticate header that describes how
to authenticate.This is a response generally returned by your web server, not your web
application.It’s also something very temporary; the server is asking you to try
again.So, for authorization I use the 403 Forbidden response. It’s
permanent, it’s tied to my application logic, and it’s a more concrete
response than a 401.Receiving a 403 response is the server telling you, “I’m sorry. I know
who you are–I believe who you say you are–but you just don’t have
permission to access this resource. Maybe if you ask the system
administrator nicely, you’ll get permission. But please don’t bother
me again until your predicament changes.”In summary, a 401 Unauthorized response should be used for missing
or bad authentication, and a 403 Forbidden response should be used
afterwards, when the user is authenticated but isn’t authorized to
perform the requested operation on the given resource.
Another nice pictorial format of how http status codes should be used.
Nick T
25.2k11 gold badges79 silver badges120 bronze badges
answered Aug 4, 2011 at 6:24
23
Edit: RFC2616 is obsolete, see RFC9110.
401 Unauthorized:
If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403 Forbidden:
The server understood the request, but is refusing to fulfill it.
From your use case, it appears that the user is not authenticated. I would return 401.
emery
8,03510 gold badges42 silver badges49 bronze badges
answered Jul 21, 2010 at 7:28
OdedOded
485k98 gold badges877 silver badges1003 bronze badges
11
Something the other answers are missing is that it must be understood that Authentication and Authorization in the context of RFC 2616 refers ONLY to the HTTP Authentication protocol of RFC 2617. Authentication by schemes outside of RFC2617 is not supported in HTTP status codes and are not considered when deciding whether to use 401 or 403.
Brief and Terse
Unauthorized indicates that the client is not RFC2617 authenticated and the server is initiating the authentication process. Forbidden indicates either that the client is RFC2617 authenticated and does not have authorization or that the server does not support RFC2617 for the requested resource.
Meaning if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used.
Detailed and In-Depth
From RFC2616
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8).
and
10.4.4 403 Forbidden
The server understood the request but is refusing to fulfil it. Authorization will not help and the request SHOULD NOT be repeated.
The first thing to keep in mind is that «Authentication» and «Authorization» in the context of this document refer specifically to the HTTP Authentication protocols from RFC 2617. They do not refer to any roll-your-own authentication protocols you may have created using login pages, etc. I will use «login» to refer to authentication and authorization by methods other than RFC2617
So the real difference is not what the problem is or even if there is a solution. The difference is what the server expects the client to do next.
401 indicates that the resource can not be provided, but the server is REQUESTING that the client log in through HTTP Authentication and has sent reply headers to initiate the process. Possibly there are authorizations that will permit access to the resource, possibly there are not, but let’s give it a try and see what happens.
403 indicates that the resource can not be provided and there is, for the current user, no way to solve this through RFC2617 and no point in trying. This may be because it is known that no level of authentication is sufficient (for instance because of an IP blacklist), but it may be because the user is already authenticated and does not have authority. The RFC2617 model is one-user, one-credentials so the case where the user may have a second set of credentials that could be authorized may be ignored. It neither suggests nor implies that some sort of login page or other non-RFC2617 authentication protocol may or may not help — that is outside the RFC2616 standards and definition.
Edit: RFC2616 is obsolete, see RFC7231 and RFC7235.
answered Feb 5, 2013 at 17:14
ldrutldrut
3,7771 gold badge17 silver badges4 bronze badges
7
+-----------------------
| RESOURCE EXISTS ? (if private it is often checked AFTER auth check)
+-----------------------
| |
NO | v YES
v +-----------------------
404 | IS LOGGED-IN ? (authenticated, aka user session)
or +-----------------------
401 | |
403 NO | | YES
3xx v v
401 +-----------------------
(404 no reveal) | CAN ACCESS RESOURCE ? (permission, authorized, ...)
or +-----------------------
redirect | |
to login NO | | YES
| |
v v
403 OK 200, redirect, ...
(or 404: no reveal)
(or 404: resource does not exist if private)
(or 3xx: redirection)
Checks are usually done in this order:
- 404 if resource is public and does not exist or 3xx redirection
- OTHERWISE:
- 401 if not logged-in or session expired
- 403 if user does not have permission to access resource (file, json, …)
- 404 if resource does not exist or not willing to reveal anything, or 3xx redirection
UNAUTHORIZED: Status code (401) indicating that the request requires authentication, usually this means user needs to be logged-in (session). User/agent unknown by the server. Can repeat with other credentials. NOTE: This is confusing as this should have been named ‘unauthenticated’ instead of ‘unauthorized’. This can also happen after login if session expired.
Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource (credits @gingerCodeNinja)
FORBIDDEN: Status code (403) indicating the server understood the request but refused to fulfill it. User/agent known by the server but has insufficient credentials. Repeating request will not work, unless credentials changed, which is very unlikely in a short time span.
Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource (credits @gingerCodeNinja) in the case that revealing the presence of the resource exposes sensitive data or gives an attacker useful information.
NOT FOUND: Status code (404) indicating that the requested resource is not available. User/agent known but server will not reveal anything about the resource, does as if it does not exist. Repeating will not work. This is a special use of 404 (github does it for example).
As mentioned by @ChrisH there are a few options for redirection 3xx (301, 302, 303, 307 or not redirecting at all and using a 401):
- Difference between HTTP redirect codes
- How long do browsers cache HTTP 301s?
- What is correct HTTP status code when redirecting to a login page?
- What’s the difference between a 302 and a 307 redirect?
answered Feb 23, 2015 at 11:00
9
According to RFC 2616 (HTTP/1.1) 403 is sent when:
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead
In other words, if the client CAN get access to the resource by authenticating, 401 should be sent.
answered Jul 21, 2010 at 7:26
CumbayahCumbayah
4,3771 gold badge24 silver badges32 bronze badges
6
Assuming HTTP authentication (WWW-Authenticate and Authorization headers) is in use, if authenticating as another user would grant access to the requested resource, then 401 Unauthorized should be returned.
403 Forbidden is used when access to the resource is forbidden to everyone or restricted to a given network or allowed only over SSL, whatever as long as it is no related to HTTP authentication.
If HTTP authentication is not in use and the service has a cookie-based authentication scheme as is the norm nowadays, then a 403 or a 404 should be returned.
Regarding 401, this is from RFC 7235 (Hypertext Transfer Protocol (HTTP/1.1): Authentication):
3.1. 401 Unauthorized
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The origin server MUST send a WWW-Authenticate header field (Section 4.4) containing at least one challenge applicable to the target resource. If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The client MAY repeat the request with a new or replaced Authorization header field (Section 4.1). If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user agent SHOULD present the enclosed representation to the user, since it usually contains relevant diagnostic information.
The semantics of 403 (and 404) have changed over time. This is from 1999 (RFC 2616):
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
In 2014 RFC 7231 (Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content) changed the meaning of 403:
6.5.3. 403 Forbidden
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to «hide» the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).
Thus, a 403 (or a 404) might now mean about anything. Providing new credentials might help… or it might not.
I believe the reason why this has changed is RFC 2616 assumed HTTP authentication would be used when in practice today’s Web apps build custom authentication schemes using for example forms and cookies.
answered Feb 27, 2013 at 9:44
6
- 401 Unauthorized: I don’t know who you are. This an authentication error.
- 403 Forbidden: I know who you are, but you don’t have permission to access this resource. This is an authorization error.
Premraj
72.1k25 gold badges236 silver badges175 bronze badges
answered Aug 6, 2019 at 12:37
4
This is an older question, but one option that was never really brought up was to return a 404. From a security perspective, the highest voted answer suffers from a potential information leakage vulnerability. Say, for instance, that the secure web page in question is a system admin page, or perhaps more commonly, is a record in a system that the user doesn’t have access to. Ideally you wouldn’t want a malicious user to even know that there’s a page / record there, let alone that they don’t have access. When I’m building something like this, I’ll try to record unauthenticate / unauthorized requests in an internal log, but return a 404.
OWASP has some more information about how an attacker could use this type of information as part of an attack.
answered Dec 25, 2014 at 9:09
4
This question was asked some time ago, but people’s thinking moves on.
Section 6.5.3 in this draft (authored by Fielding and Reschke) gives status code 403 a slightly different meaning to the one documented in RFC 2616.
It reflects what happens in authentication & authorization schemes employed by a number of popular web-servers and frameworks.
I’ve emphasized the bit I think is most salient.
6.5.3. 403 Forbidden
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.
An origin server that wishes to «hide» the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).
Whatever convention you use, the important thing is to provide uniformity across your site / API.
answered May 22, 2014 at 10:54
Dave WattsDave Watts
8407 silver badges11 bronze badges
1
These are the meanings:
401: User not (correctly) authenticated, the resource/page require authentication
403: User’s role or permissions does not allow to access requested resource, for instance user is not an administrator and requested page is for administrators.
Note: Technically, 403 is a superset of 401, since is legal to give 403 for unauthenticated user too. Anyway is more meaningful to differentiate.
answered Nov 19, 2019 at 10:17
Luca C.Luca C.
11.1k1 gold badge86 silver badges77 bronze badges
3
!!! DEPR: The answer reflects what used to be common practice, up until 2014 !!!
TL;DR
- 401: A refusal that has to do with authentication
- 403: A refusal that has NOTHING to do with authentication
Practical Examples
If apache requires authentication (via .htaccess), and you hit Cancel, it will respond with a 401 Authorization Required
If nginx finds a file, but has no access rights (user/group) to read/access it, it will respond with 403 Forbidden
RFC (2616 Section 10)
401 Unauthorized (10.4.2)
Meaning 1: Need to authenticate
The request requires user authentication. …
Meaning 2: Authentication insufficient
… If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. …
403 Forbidden (10.4.4)
Meaning: Unrelated to authentication
… Authorization will not help …
More details:
The server understood the request, but is refusing to fulfill it.
It SHOULD describe the reason for the refusal in the entity
The status code 404 (Not Found) can be used instead
(If the server wants to keep this information from client)
answered Feb 25, 2015 at 9:03
LeviteLevite
16.9k8 gold badges50 silver badges50 bronze badges
2
they are not logged in or do not belong to the proper user group
You have stated two different cases; each case should have a different response:
- If they are not logged in at all you should return 401 Unauthorized
- If they are logged in but don’t belong to the proper user group, you should return 403 Forbidden
Note on the RFC based on comments received to this answer:
If the user is not logged in they are un-authenticated, the HTTP equivalent of which is 401 and is misleadingly called Unauthorized in the RFC. As section 10.4.2 states for 401 Unauthorized:
«The request requires user authentication.»
If you’re unauthenticated, 401 is the correct response. However if you’re unauthorized, in the semantically correct sense, 403 is the correct response.
answered Oct 1, 2012 at 14:34
Zaid MasudZaid Masud
13.1k9 gold badges66 silver badges88 bronze badges
4
I have created a simple note for you which will make it clear.
answered Nov 11, 2021 at 12:19
PrathamPratham
4673 silver badges7 bronze badges
In English:
401
You are potentially allowed access but for some reason on this request you were
denied. Such as a bad password? Try again, with the correct request
you will get a success response instead.
403
You are not, ever, allowed. Your name is not on the list, you won’t
ever get in, go away, don’t send a re-try request, it will be refused,
always. Go away.
answered Apr 8, 2020 at 14:23
JamesJames
4,6155 gold badges36 silver badges48 bronze badges
2
401: You need HTTP basic auth to see this.
If the user just needs to log in using you site’s standard HTML login form, 401 would not be appropriate because it is specific to HTTP basic auth.
403: This resource exists but you are not authorized to see it, and HTTP basic auth won’t help.
I don’t recommend using 403 to deny access to things like /includes, because as far as the web is concerned, those resources don’t exist at all and should therefore 404.
In other words, 403 means «this resource requires some form of auth other than HTTP basic auth (such as using the web site’s standard HTML login form)».
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2
answered Sep 23, 2017 at 12:33
Vlad KorneaVlad Kornea
4,2493 gold badges38 silver badges40 bronze badges
401: Who are you again?? (programmer walks into a bar with no ID or invalid ID)
403: Oh great, you again. I’ve got my eye on you. Go on, get outta here. (programmer walks into a bar they are 86’d from)
answered Aug 11, 2022 at 23:10
emeryemery
8,03510 gold badges42 silver badges49 bronze badges
0
I think it is important to consider that, to a browser, 401 initiates an authentication dialog for the user to enter new credentials, while 403 does not. Browsers think that, if a 401 is returned, then the user should re-authenticate. So 401 stands for invalid authentication while 403 stands for a lack of permission.
Here are some cases under that logic where an error would be returned from authentication or authorization, with important phrases bolded.
- A resource requires authentication but no credentials were specified.
401: The client should specify credentials.
- The specified credentials are in an invalid format.
400: That’s neither 401 nor 403, as syntax errors should always return 400.
- The specified credentials reference a user which does not exist.
401: The client should specify valid credentials.
- The specified credentials are invalid but specify a valid user (or don’t specify a user if a specified user is not required).
401: Again, the client should specify valid credentials.
- The specified credentials have expired.
401: This is practically the same as having invalid credentials in general, so the client should specify valid credentials.
- The specified credentials are completely valid but do not suffice the particular resource, though it is possible that credentials with more permission could.
403: Specifying valid credentials would not grant access to the resource, as the current credentials are already valid but only do not have permission.
- The particular resource is inaccessible regardless of credentials.
403: This is regardless of credentials, so specifying valid credentials cannot help.
- The specified credentials are completely valid but the particular client is blocked from using them.
403: If the client is blocked, specifying new credentials will not do anything.
answered Jun 2, 2018 at 23:34
401 response means one of the following:
- An access token is missing.
- An access token is either expired, revoked, malformed, or invalid.
403 response on the other hand means that the access token is indeed valid, but that the user does not have appropriate privileges to perform the requested action.
answered Feb 17, 2022 at 11:16
Ran TurnerRan Turner
12.7k4 gold badges38 silver badges48 bronze badges
0
Given the latest RFC’s on the matter (7231 and 7235) the use-case seems quite clear (italics added):
- 401 is for unauthenticated («lacks valid authentication»); i.e. ‘I don’t know who you are, or I don’t trust you are who you say you are.’
401 Unauthorized
The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.
If the request included authentication credentials, then the 401
response indicates that authorization has been refused for those
credentials. The user agent MAY repeat the request with a new or
replaced Authorization header field (Section 4.2). If the 401
response contains the same challenge as the prior response, and the
user agent has already attempted authentication at least once, then
the user agent SHOULD present the enclosed representation to the
user, since it usually contains relevant diagnostic information.
- 403 is for unauthorized («refuses to authorize»); i.e. ‘I know who you are, but you don’t have permission to access this resource.’
403 Forbidden
The 403 (Forbidden) status code indicates that the server understood
the request but refuses to authorize it. A server that wishes to
make public why the request has been forbidden can describe that
reason in the response payload (if any).
If authentication credentials were provided in the request, the
server considers them insufficient to grant access. The client
SHOULD NOT automatically repeat the request with the same
credentials. The client MAY repeat the request with new or different
credentials. However, a request might be forbidden for reasons
unrelated to the credentials.
An origin server that wishes to «hide» the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).
answered Jun 5, 2018 at 15:26
cjbarthcjbarth
4,0526 gold badges41 silver badges60 bronze badges
3
I have a slightly different take on it from the accepted answer.
It seems more semantic and logical to return a 403 when authentication fails and a 401 when authorisation fails.
Here is my reasoning for this:
When you are requesting to be authenticated, You are authorised to make that request. You need to otherwise no one would even be able to be authenticated in the first place.
If your authentication fails you are forbidden, that makes semantic sense.
On the other hand the forbidden can also apply for Authorisation, but
Say you are authenticated and you are not authorised to access a particular endpoint. It seems more semantic to return a 401 Unauthorised.
Spring Boot’s security returns 403 for a failed authentication attempt
answered Apr 6, 2022 at 22:44
theMyththeMyth
2544 silver badges14 bronze badges
In the case of 401 vs 403, this has been answered many times. This is essentially a ‘HTTP request environment’ debate, not an ‘application’ debate.
There seems to be a question on the roll-your-own-login issue (application).
In this case, simply not being logged in is not sufficient to send a 401 or a 403, unless you use HTTP Auth vs a login page (not tied to setting HTTP Auth). It sounds like you may be looking for a «201 Created», with a roll-your-own-login screen present (instead of the requested resource) for the application-level access to a file. This says:
«I heard you, it’s here, but try this instead (you are not allowed to see it)»
answered Dec 12, 2014 at 19:01
3
The error usually stems from the development and design of a website, but sometimes your own system triggers it
Updated on October 11, 2022
The 403 Forbidden error is an HTTP status code that means that access to the page or resource you were trying to reach is blocked for some reason.
What Causes 403 Forbidden Errors
Different web servers report 403 Forbidden errors in different ways, the majority of which we’ve listed below (see the Common 403 Error Messages section). Occasionally a website owner will customize the site’s error, but that’s not too common.
These errors are caused by issues where you’re trying to access something that you don’t have permission for. The error is essentially saying «Go away and don’t come back here» because the server’s access permissions indicate that you’re truly not allowed access or the permissions are actually improperly set up and you’re being denied access when you shouldn’t be.
How to Fix the 403 Forbidden Error
Different website designs can produce 403 errors that might make them seem different from site to site but, overall, they are pretty much the same thing. Often, there’s not much you can do because the error typically stems from the development and design of the site.
Occasionally, though, it could be a problem on your end. Here are a few things to try so you can confirm it’s not your side of the connection causing the problem.
-
Check for URL errors and make sure you’re specifying an actual web page file name and extension, not just a directory. Most websites are configured to disallow directory browsing, so a 403 Forbidden message when trying to display a folder instead of a specific page, is normal and expected.
This is, by far, the most common reason for a website to return the 403 Forbidden error. Be sure you fully explore this possibility before investing time in the troubleshooting below.
If you operate the website in question, and you want to prevent 403 errors in these cases, enable directory browsing in your web server software.
-
Clear your browser’s cache. Issues with a cached version of the page you’re viewing could be causing 403 Forbidden issues.
-
Log in to the website, assuming it’s possible and appropriate to do so. The error message could mean that you need additional access before you can view the page.
Typically, a website produces a 401 Unauthorized error when special permission is required, but sometimes a 403 Forbidden is used instead.
-
Clear your browser’s cookies, especially if you typically log in to this website and logging in again (the last step) didn’t work.
Be sure to enable cookies in your browser, or at least for this website if you do actually log in to access this page. The 403 Forbidden error, in particular, indicates that cookies might be involved in obtaining proper access.
-
Contact the website directly. It’s possible that the 403 error is a mistake, everyone else is seeing it, too, and the website isn’t yet aware of the problem.
Most sites have support-based accounts on social networking sites, making it really easy to get a hold of them. Some even have support email addresses and telephone numbers.
How to Tell If a Website Is Down for Everyone or Just You
-
Contact your internet service provider if you’re still getting the 403 error, especially if you’re pretty sure that the website in question is working for others right now.
It’s possible that your public IP address, or your entire ISP, has been added to a blocklist, a situation that could produce this error, usually on all pages on one or more sites. If that’s the case, and your ISP can’t help you, connecting to a VPN server from a region of the world that does permit access, should be enough to resolve the error.
-
Come back later. Once you’ve verified that the page you’re accessing is the correct one and that the HTTP error is being seen by more than just you, just revisit the page on a regular basis until the problem is fixed.
How the 403 Error Can Appear on Different Sites
These are the most common incarnations of 403 Forbidden errors:
- 403 Forbidden
- HTTP 403
- Forbidden: You don’t have permission to access [directory] on this server
- Forbidden
- Error 403
- HTTP Error 403.14 — Forbidden
- Error 403 — Forbidden
- HTTP Error 403 — Forbidden
The error displays inside the browser window, just as web pages do, and like all errors of this type, it can be seen in any browser on any operating system.
These errors, when received while opening links via Microsoft 365 (formerly Microsoft Office) programs, generate the message Unable to open [url]. Cannot download the information you requested inside the Office software.
Windows Update might also report an HTTP 403 error but it will display as error code 0x80244018 or with the following message: WU_E_PT_HTTP_STATUS_FORBIDDEN.
Microsoft IIS web servers provide more specific information about the cause of 403 Forbidden errors by suffixing a number after the 403, as in HTTP Error 403.14 — Forbidden, which means Directory listing denied.
Errors Similar to 403 Forbidden
The following messages are also client-side errors and so are related to the 403 Forbidden error: 400 Bad Request, 401 Unauthorized, 404 Not Found, and 408 Request Timeout.
Several server-side HTTP status codes also exist, like the popular 500 Internal Server Error, among others that you can find in our list of HTTP status code errors.
FAQ
-
What does HTTP stand for?
HTTP stands for HyperText Transfer Protocol. It’s the network protocol used by the World Wide Web that lets you open web page links and jump from one page to the next across search engines and other websites.
-
What does HTTP error 400 mean?
The 400 Bad Request error is an HTTP status code meaning the request you sent to the website server, often something simple like a request to load a web page, was somehow incorrect or corrupted and the server couldn’t understand it. The error is often caused by entering or pasting the wrong URL in the address window.
Thanks for letting us know!
Get the Latest Tech News Delivered Every Day
Subscribe
Receiving any error code while online can be a frustrating experience. While we’ve become accustomed to 404 Not Found pages, even to the extent that it’s become common to see cute placeholder pages to entertain us whenever we get lost, one of the more puzzling errors is the 403: Forbidden response.
What does it mean?
Simply put: the server has determined that you are not allowed access to the thing you’ve requested.
According to RFC 7231:
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it…If authentication credentials were provided in the request, the server considers them insufficient to grant access.
The 403 response belongs to the 4xx range of HTTP responses: Client errors. This means either you, or your browser, did something wrong.
If you encounter this it usually means that you have already authenticated yourself with the server, i.e. you’ve logged in, but the resource you have requested expects someone with higher privileges.
Most commonly, you might be logged in as a standard user, but you are attempting to access an admin page.
How do you fix it?
As a user without access to the server, you really only have a few options:
Authenticate yourself with a more appropriate account
Again, according to RFC 7231:
If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials.
This is the only one that gives you any immediate power to rectify the issue.
If you have multiple accounts for a site and you are attempting to do something you can usually do, but this time are forbidden from doing, this is the option you should try. Log in with your other account.
You may find that this option also requires clearing your cache or cookies, just in case logging in as another user doesn’t sufficiently flush the previous authentication tokens. But this is usually unnecessary.
As a desperate move, you could also try disabling browser extensions that might be interfering with your use of the site. However, this is unlikely, since a 403 implies you are authenticated, but not authorized.
Notify the site owner that a 403 is being returned when you’d expect otherwise
If you fully expect that you should be able to access the resource in question, but you are still seeing this error, it is wise to let the team behind the site know — this could be an error on their part.
Once more from RFC 7231:
However, a request might be forbidden for reasons unrelated to the credentials.
A common cause for this happening unintentionally can be that a server uses allow- or deny-lists for particular IP addresses or geographical regions.
They might have a good reason for blocking your access outside of their strictly defined parameters, but it could also just be an oversight.
Give up.
Maybe you just aren’t supposed to be able to access that resource. It happens. It’s a big internet and it’s reasonable to expect that there are some areas off limits to you personally.
You could visit http.cat instead while ruminating on why your original request was forbidden.
As a reader of freeCodeCamp News, you are almost certainly not forbidden from following @JacksonBates on Twitter for more tech and programming related content.
Learn to code for free. freeCodeCamp’s open source curriculum has helped more than 40,000 people get jobs as developers. Get started
Did you just try to access your WordPress site only to be hit by some message telling you something is “Forbidden” or that you don’t have permission to access something on your site? If so, you’ve likely run into the 403 Forbidden error on WordPress.
Seeing an error on your WordPress site can be frustrating and deflating, which is why we’ve created this detailed guide to help you fix the 403 Forbidden Error on WordPress and get your site functioning again as quickly as possible.
Let’s get started without any further introduction because we’re sure you just want to fix your site!
Prefer the video version?
What is the 403 Forbidden Error?
The Internet Engineering Task Force (IETF) defines the error 403 Forbidden as:
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).
| Error Code | 403 |
| Error Type | Authentication error |
| Error Variations | Forbidden – You don’t have permission to access / on this server
403 – Forbidden: Access is denied Error 403 – Forbidden 403 – Forbidden Error – You are not allowed to access this address 403 Forbidden – nginx HTTP Error 403 – Forbidden – You do not have permission to access the document or program you requested 403 Forbidden – Access to this resource on the server is denied 403. That’s an error. Your client does not have permission to get URL / from this server You are not authorized to view this page It appears you don’t have permission to access this page |
| Error Causes | Corrupt .htaccess file
Incorrect file permissions Plugin issues |
Like many other common WordPress errors, the 403 Forbidden error is an HTTP status code that a web server uses to communicate with your web browser.
Quick background on HTTP status codes – whenever you connect to a website with your browser, the web server responds with something called an HTTP header. Usually, this all happens behind the scenes because everything is working normally (that’s a 200 status code, in case you were wondering).
However, if something goes wrong, the server will respond back with a different numbered HTTP status code. While these numbers are frustrating to encounter, they’re actually quite important because they help you diagnose exactly what’s going wrong on your site.
The 403 Forbidden error means that your web server understands the request that the client (i.e. your browser) is making, but the server will not fulfill it.
In more human-friendly terms, it basically means that your server knows exactly what you want to do, it just won’t let you do it because you don’t have the proper permissions for some reason. It’s kind of like you’re trying to get into a private event, but your name got accidentally removed from the guestlist for some reason.
Other HTTP status codes mean different things. We’ve written guides on fixing issues with 404 not found errors, 500 internal server errors, 502 bad gateway errors, and 504 gateway timeout errors.
What Causes the 403 Forbidden Error on WordPress?
The two most likely causes of the 403 Forbidden Error on WordPress are:
- Corrupt
.htaccessfile - Incorrect file permissions
It’s also possible that you’re seeing the error because of an issue with a plugin that you’re using at your site. In this article, we’ll show you how to troubleshoot all of these potential issues.
403 Forbidden Error Variations
Like many other HTTP status codes, there are a lot of different variations for how this error code presents itself.
Here are some common variations that you might come across:
- “Forbidden – You don’t have permission to access / on this server”
- “403 – Forbidden: Access is denied”
- “Error 403 – Forbidden”
- “403 – Forbidden Error – You are not allowed to access this address”
- “403 Forbidden – nginx”
- “HTTP Error 403 – Forbidden – You do not have permission to access the document or program you requested”
- “403 Forbidden – Access to this resource on the server is denied”
- “403. That’s an error. Your client does not have permission to get URL / from this server”
- “You are not authorized to view this page”
- “It appears you don’t have permission to access this page.”
If you’re on an Nginx server, it will look like this below. Basically, if you see any mention of “forbidden” or “not allowed to access”, you’re probably dealing with a 403 Forbidden error.
How to Fix 403 Forbidden Error on WordPress
To help you fix the 403 Forbidden Error on your WordPress site, we’ll cover five separate troubleshooting steps in detail:
- File permissions
- .htaccess file
- Plugin issues
- CDN issues
- Hotlink protection
1. Modify Your File Permissions
Each folder and file on your WordPress site’s server has its own unique file permissions that control who can:
- Read – see the data in the file/view the contents of a folder.
- Write – modify the file/add or delete files inside a folder
- Execute – run the file and/or execute it as a script/access a folder and perform functions and commands.
These permissions are indicated by a 3-digit number, with each digit indicating the level of permission for each of the 3 categories above.
Normally, these permissions just “work” for your WordPress site. However, if something gets messed up with the file permissions at your WordPress site, it can cause the 403 Forbidden error.
To view and modify your site’s file permissions, you’ll need to connect via FTP/SFTP. Here’s how to use SFTP if you’re hosting at Kinsta.
For the screenshots in the tutorial below, we’ll be using the free FileZilla FTP program. The basic principles will apply to any FTP program, though – you’ll just need to apply them to a different interface.
Once you’re connected to your server, you can view a file or folder’s permissions by right-clicking on it:
Of course, manually checking the permissions for each file or folder isn’t really an option. Instead, you can automatically apply file permissions to all the files or folders inside of a folder.
According to the WordPress Codex, the ideal file permissions for WordPress are:
- Files – 644 or 640
- Directories – 755 or 750
One exception is that your wp-config.php file should be 440 or 400.
To set these permissions, right-click on the folder that contains your WordPress site (the folder name is public at Kinsta). Then, choose File Attributes:
Enter 755 or 750 in the Numeric value box. Then, choose Recurse into subdirectories and Apply to directories only:
Once you’ve applied the correct permissions for directories, you’ll repeat the process for files. Only this time:
- Enter 644 or 640 in the Numeric value box
- Choose Recurse into subdirectories
- Choose Apply to files only
To finish the process, you just need to manually adjust the permissions for your wp-config.php file to make them 440 or 400:
If file permissions issues were causing the 403 Forbidden Error, your site should now start working again.
2. Delete and Restore the .htaccess File
Kinsta uses the NGINX web server, so this potential issue doesn’t apply if you’re hosting your site at Kinsta because Kinsta sites do not have a .htaccess file.
However, if you’re hosting elsewhere and your host uses the Apache web server, one common cause of the 403 Forbidden error is a problem in your site’s .htaccess file.
The .htaccess file is a basic configuration file used by the Apache web server. You can use it to set up redirects, restrict access to all or some of your site, etc.
Because it’s so powerful, even if a little mistake can cause a big issue, like the 403 Forbidden error.
Rather than trying to troubleshoot the .htaccess file itself, a simpler solution is to just force WordPress to generate a new, clean .htaccess file.
To do that:
- Connect to your server via FTP
- Find the
.htaccessfile in your root folder - Download a copy of the file to your computer (it’s always a good idea to have a backup just in case)
- Delete the
.htaccessfile from your server after you have a safe backup copy on your local computer
Now, you should be able to access your WordPress site if your .htaccess file was the issue.
To force WordPress to generate a new, clean .htaccess file:
- Go to Settings → Permalinks in your WordPress dashboard
- Click Save Changes at the bottom of the page (you do not need to make any changes – just click the button)
And that’s it – WordPress will now generate a new .htaccess file for you.
3. Deactivate and then Reactivate Your Plugins
If neither your site’s file permissions nor .htaccess file are the problems, the next place to look is your plugins. It could be a bug in a plugin or a compatibility issue between different plugins.
No matter what the issue is, the easiest way to find the problematic plugin is with a little trial and error. Specifically, you’ll need to deactivate all of your plugins and then reactivate them one by one until you find the culprit.
If you can still access your WordPress dashboard, you can perform this process from the normal Plugins area.
If you cannot access your WordPress dashboard, you’ll instead need to connect to your WordPress site’s server via FTP/SFTP (here’s how to connect via SFTP at Kinsta).
Once you’re connected to your server via FTP:
- Browse to the wp-content folder
- Find the plugins folder inside of the wp-content folder
- Right-click on the plugins folder and choose Rename
- Change the name of the folder. You can name it anything different, but we recommend something like plugins-disabled to make it easy to remember.
By renaming the folder, you’ve effectively disabled all the plugins at your site.
Now, try accessing your site again. If your site is working, you know that one of your plugins is causing the 403 Forbidden error.
To find the culprit, reactivate your plugins one-by-one until you find which plugin is causing the issue.
After changing the file name of the plugins folder, you should see a number of errors that say plugin file does not exist when you go to the Plugins area on your site:
To fix this issue and regain the ability to manage your plugins, use your FTP program to change the name of the folder back to plugins. So, if you renamed it to plugins-disabled, just change it back to plugins.
Once you do that, you’ll see the full list of all your plugins again. Only now, they’ll all be deactivated:
Use the Activate button to reactivate them one-by-one.
Once you find the plugin that’s causing the issue, you can either reach out to the plugin’s developer for help or choose an alternate plugin that accomplishes the same thing (we’ve collected the best WordPress plugins here).
4. Deactivate CDN Temporarily
If you’re getting 403 forbidden errors on your assets (images, JavaScript, CSS), it could be a problem with your content delivery network (CDN). In this case, we recommend temporarily disabling your CDN and then checking your site to see if it works. If you’re a Kinsta client, click into your site and then on the “Kinsta CDN” tab. Once there, toggle the “Kinsta CDN” button off.
5. Check to See If Hotlink Protection Is Misconfigured
Hotlinking is when someone adds an image to their site, but the hosted link is still pointed to someone else’s site. To prevent this, some will set up what is called “hotlink protection” with their WordPress host or CDN provider.
When hotlink protection is enabled, it will typically return a 403 forbidden error. This is normal. However, if you’re seeing a 403 forbidden error on something you shouldn’t be, check to make sure hotlink protection is configured properly.
Still Having Issues? Reach Out to Your Hosting Provider
If none of the above solutions worked for you, then we recommend reaching out to your hosting provider. They can most likely help you pinpoint the issue and get you back up and running. If you’re a Kinsta client, open up a support ticket with our team. We are available 24/7.
Summary
The 403 Forbidden error means that your server is working, but you no longer have permission to view all or some of your site for some reason.
The two most likely causes of this error are issues with your WordPress site’s file permissions or .htaccess file. Beyond that, some plugin issues might also cause the 403 Forbidden error. Or it could be that something is misconfigured with hotlink protection or your CDN.
By following the troubleshooting steps in this guide, you should be able to get your site back to working in no time.
Get all your applications, databases and WordPress sites online and under one roof. Our feature-packed, high-performance cloud platform includes:
- Easy setup and management in the MyKinsta dashboard
- 24/7 expert support
- The best Google Cloud Platform hardware and network, powered by Kubernetes for maximum scalability
- An enterprise-level Cloudflare integration for speed and security
- Global audience reach with up to 35 data centers and 275 PoPs worldwide
Test it yourself with $20 off your first month of Application Hosting or Database Hosting. Explore our plans or talk to sales to find your best fit.
Does the term ‘403 forbidden’ seem familiar? This is a client-side error that denies you access to specific areas of a website. You might have seen it when you landed on a webpage with a permission error or an empty website directory.
Why? Because the majority of websites are configured to disallow directory browsing, with an aim to stop unauthorized users from getting into files containing sensitive data.
But if you or users run into a 403 forbidden error on your website, you need to fix it — or you could lose traffic. And that would cost you invaluable new customers over time.
However, as there are various causes for a 403 forbidden error, you have more than one solution to consider.
In this guide, we’ll explore everything you need to know about 403 forbidden errors, including likely causes and several solutions to try.
What Does the 403 Forbidden Error Mean?
The HTTP status code ‘403 forbidden — you don’t have permission to access this resource’ is displayed when a web server recognizes a user’s request but is unable to allow additional access.
What Causes the 403 Forbidden Error?
HTTP 403 forbidden errors are typically triggered by a client-side setup issue, so you should be able to fix it independently. One of the most common reasons for a 403 forbidden error is the settings for a specific folder or file. These determine which users can read, write, or execute that folder or file.
In this case, the site owner may have:
- Changed the settings and denied you from accessing the relevant resources.
- Failed to put the proper permissions in place.
Another common cause is the htaccess file settings, which may simply be wrong or (less simply) corrupt. This could occur after a file has been changed. Fortunately, you can fix this problem in an easy way — just create a new server configuration file.
Other possible causes of a 403 forbidden error include:
- Incorrect IP address: A domain name directs to an incorrect or outdated IP address hosting a site that prevents you from gaining access.
- Issues with a WordPress plugin: WordPress plugins that are incompatible with other plugins or set up incorrectly.
- New link to page: A site owner updates a page’s link, which differs from the version that has been cached.
- Malware: Malware infections can lead a .htaccess file to be in a state of ongoing corruption, so you would need to get rid of the infection before completing a file restoration.
- No index page: Your site’s homepage isn’t named ‘index.php’ or ‘index.html’.
Any of these causes may be responsible for your site’s 403 forbidden error.
Try These Techniques to Solve Your 403 Forbidden Error
The techniques we’ll explore below focus primarily on 403 forbidden errors associated with file access permissions. But alternative options, including malware scans and emptying your browser’s cache, could also fix the problem.
And while we focus on WordPress websites, you can apply our solutions to different types of sites too.
Assess the .htaccess File for Signs of Corruption
The .htaccess file usually remains inside the site’s document root..
Are you using cPanel or Plesk? First, find the File Manager, open the site’s document root directory, then search for the .htaccess file. Not there? In case of cPanel tap ‘Settings’ in the top-right area of the screen, then turn on the ‘Show Hidden Files (dotfiles)’ setting.
The .htaccess file primarily works by adjusting the settings for Apache Web Server, as it’s a server configuration file. But while you’ll find this file on the majority of sites by default, you have to manually make a new file if your site lacks one or it has been accidentally deleted.
In any case, when you find the file, take the following steps to find out whether the 403 forbidden error has been caused by an incorrect configuration:
- Right-click on the file then tap ‘Download’ to make a backup.
- Delete the file.
- Try to access your site — if you can get into it, it’s safe to say that the file was corrupted.
- If you want to make a new .htaccess file, sign in to your WordPress dashboard then click on the ‘Settings’ option followed by ‘Permalinks’.
- Tap the ‘Save Changes’ button without making changes.
Completing these steps will create a new .htaccess file for your site. But if this process fails to fix the problem, move on to our next technique.
Resetting Permissions for the File and Directory
Incorrect file or folder permissions could be causing your HTTP 403 issue.
New files carry certain default permissions that determine how you read, write, and execute them. But you can edit permissions for files and folders with FTP. To get started:
- Set up an FTP client and connect it to your site.
- Right-click ‘publichtml’ after connecting the FTP client, then select ‘File Attributes’.
- Input permission ‘755’ in the ‘Numeric value’ field, choose ‘Apply to directories only’, then press ‘ok’.
Generally, with regards to file permission numeric values, ‘755’ relates to folders, ‘644’ relates to static content, while ‘700’ relates to dynamic content.
Next, once you have adjusted your folder permissions, repeat the second and third steps above — but use ‘644’ in the ‘Numeric value’ field instead. Then, click on ‘Apply to files only’.
After you complete these steps, try to access your site to find out if you have fixed the problem.
Deactivating Plugins for WordPress
It’s likely that your 403 forbidden error is caused by a plugin which is faulty or simply incompatible if neither of the previous techniques have worked for you. So, we’ll explore how to disable plugins to discover if they’re behind the error.
Before we begin, though, we want to recommend that you disable all of the plugins at the same time rather than disabling them one by one.
Follow these steps:
- Use FTP to get into your hosting account, or use the file manager in your hosting account, and navigate to the public_html -> wp-content folder.
- Find the ‘plugins’ folder.
- Change the folder’s name to something simple and relevant, such as ‘plugins-disabled’, to disable all of the plugins.
Next, try to access your site — if you don’t see the error again, the problem will have been caused by a plugin which is no longer active.
Change the folder name back to ‘plugins’, then disable one plugin at a time and see if the site continues to run properly. This will make it easy to identify the plugin causing the problem.
Either update or delete the plugin when you find it. But if the 403 forbidden error continues to appear, get in touch with your hosting provider for further help.
Index Page Uploading
Take a look at the name of your site’s homepage: it should be &lsquoindexphp’ or index.html’. Otherwise, you have two options to consider.
One possibility is to name your homepage either ‘index.php’ or ‘index.html’ instead. Alternatively, if you would prefer to retain the current name, just upload an index page to your public_html directory then set up a redirect to your present homepage.
Sounds good? Follow these steps:
- Use FTP or the file manager in your hosting account to upload an index.php or index.html file to your public_html directory.
- Find the .htaccess file and open it.
- Enter this snippet of code to start redirecting the index.php or index.html file to your present homepage:
Redirect index.html /myhomepagehtml
And make sure you swap ‘nyhomepage.html’ with the actual page name.
Reconfigure Ownership of the File
Do you use VPS or Linux web hosting? Improper file ownership could be causing your 403 forbidden error problem.
Folders and files may be assigned to a specific Group, Owner, or even both. However, you’ll require SSH access to change ownership within these environments, as well as an SSH terminal for connecting to the VPS.
Use the following SSH command to assess ownership after you connect SSH to your site’s server:
ls -1 [file name]
You should see this (or something similar):
-rwxrw-rw- 1 [owner][group] 20 Jul 22 12:00 filename.txt
Focus on the owner and group elements: the username for your hosting account will be the proper ownership. If the ownership is different, enter the following chown Linux command to change that:
chown [owner][:group] [file name]
Check Your A Record
Another potential reason for your 403 forbidden error is that your domain name is pointing to the incorrect IP address, where you lack permission to view the site’s content. To get around that, verify that your domain name is pointing to the right IP address.
Your domain could still point to your previous web host if you have migrated to a new one and forgot about updating your nameservers. A 403 error status code will be triggered when your previous host terminates your account.
Run a Malware Scan
Your 403 error may be due to malware: your WordPress website may continually add unwanted code to the .htaccess file after becoming infected. The 403 error will continue even if you fix the file using our first suggested method.
So, run a scan of your site to find malware using a WordPress plugin like Wordfence or Sucuri. Most security plugins for WordPress can get rid of malware: you’ll be presented with various options when the plugin locates the infection, such as restoring or deleting the affected files.
Another way to restore your site is to use backup files or, if you’re missing a full backup of the necessary files, a database backup.
Empty Your Cache
Our final recommended technique for fixing your 403 forbidden error involves the cache and cookies in your browser. The cache retains data to help websites load more quickly next time you go back to it. But the real page link could be different from the cached one if a site has been updated.
Additionally, cookies may trigger an error too. That could be the case if you see the error when trying to sign in to a site that you log into frequently.
Fortunately, clearing out both the cache and cookies in your chosen browser could solve the problem. But be prepared: emptying the cache could cause a site to run more slowly the next time you visit it, as the browser will request the site’s files again. Also, emptying your cookies will log you out of any sites that you’re currently signed in to.
If you use Google Chrome like countless other people, take the following steps to clear out your cache and cookies:
- Tap the ellipsis icon in the top-right area of the screen, then click on ‘Settings’.
- Locate the ‘Privacy and security’ section, then tap the ‘Clear browsing data’ button.
- Choose the data-deletion time period via the drop-down menu, then select both ‘Cookies and other site data’ and ‘Cached images and files’.
- Tap the ‘Clear data’ button to proceed.
After finishing all four steps, go back to your site and sign in if necessary. Hopefully, the 403 forbidden error will be solved!
Conclusion
If you have run into 403 forbidden errors before, you’ll know just how annoying they can be, especially when they prevent you from accessing a website you depend on daily. They’re typically caused by file permission issues, though glitchy plugins and malware infections could be responsible too.
It’s not always easy to identify the reason for 403 errors, but the eight techniques explored in this guide should help you get your site running properly again.
However, there are plenty of HTTP error codes, and the 403 forbidden is just one of them. Website owners may face client- and server-side errors, including 404 and 504 gateway timeouts.
The more you know about these and other errors, the faster you will be able to fix them if they disrupt activity on your site.
Introduction
When a web server denies access to a particular webpage or web content, it displays the 403 Forbidden error. Different web servers report different variations of the 403 Forbidden error.
In this article, you will learn what a 403 error is and how to fix it.
The 403 Forbidden error happens when a web server denies access to a webpage to a user trying to access it trough a web browser. The name «403 error» derives from the HTTP status code that the web server uses to describe that type of error.
There are several variations of the error and several reasons why the web server has denied access. The following sections deal with the different ways the error is displayed and its causes.
Common 403 Error Messages
Like with other errors, webmasters can customize how the 403 error is displayed. Its contents also depend on the web server used. That is why there are many different 403 pages across different websites.
Some common 403 error messages are:
- 403 Forbidden
- HTTP 403
- Forbidden
- HTTP Error 403 – Forbidden
- HTTP Error 403.14 – Forbidden
- Error 403
- Forbidden: You don’t have permission to access [directory] on this server
- Error 403 – Forbidden
- 403 Forbidden Error
- 403 Error

The image above shows an example of a 403 Forbidden error served by an Nginx web server.
What Causes the 403 Forbidden Error
The 403 Forbidden error usually occurs due to access misconfiguration. The misconfiguration involves improper read, write, or execute permission settings for a file or directory.
Possible causes for the 403 Forbidden error are:
- An empty website directory. If there is no index.php or index.html page, the 403 error displays.
- Missing index page. The 403 error may occur if the homepage name isn’t index.html or index.php.
- Permission/ownership errors. Incorrect permission settings or ownership cause the 403 error.
- Incorrect .htaccess file settings. The .htaccess file holds important website configuration settings, and it could be corrupted.
- Malware infection. If your files are infected with malware, it can keep corrupting the .htaccess file.
- Cached outdated webpage. The 403 error comes up if the page link has been updated, which is now different from the cached version.
- Faulty plugin. Improperly configured WordPress plugins or their incompatibility could trigger the 403 error.
The following section deals with different ways of fixing the 403 Forbidden error.
How to Fix the 403 Forbidden Error (Tips for Webmasters)
You can do several things to fix the 403 Forbidden error, depending on whether you are a website visitor or a webmaster.
The following fixes for the 403 Forbidden error are resources for site webmasters:
Check Website Directory
An empty website directory may cause the 403 error. Make sure that the content is in the correct directory on the server.
Depending on the server you are using, the correct directory for your content is:
- For Nginx: /var/www/vhosts/domain.com/httpdocs/
- For Apache: /home/username/public_html/
If there is no such directory, create one.
Add an Index Page
The website homepage by default is index.html or index.php. If there is no such page on your website, the visitors can encounter a 403 Error. Resolve this by uploading an index page to your httpdocs or public_html directory.
If you already have a homepage named other than index, you can rename it or set up a redirect in your .htaccess file to that homepage.
Warning: Be careful when editing the .htaccess file as it contains server configuration instructions and affects your web server’s behavior. The file is usually hidden as a precaution, but you can find it in your public_html directory by checking the Show Hidden Files option.
To redirect to your homepage, follow the steps below:
1. Log in to cPanel and navigate to your public_html directory.
Note: You can also download and edit the .htaccess file locally using an FTP client instead of cPanel.
2. Right-click the .htaccess file and choose Edit from the dropdown menu.

3. Redirect the index.php or index.html file to your existing homepage by inserting the following code snippet:
redirect /index.html /homepage.html
Replace homepage.html with the actual name of your page.
Check File and Directory Permissions
Each file and directory on your website have permissions that control access to those files and directories. Incorrect file or directory permissions can cause the 403 Forbidden error. The permissions specify who has read or write access to the file or directory in question.
The permissions are represented with numeric values. The general practice is to use:
- 755 for directories
- 644 for static content
- 700 for dynamic content
Note: Linux file permissions can include numbers, letters, or words, as well as an entry stating to whom the file has been assigned — Owner, Group, or Both.
You can change file permissions recursively with the chmod command. If you prefer a GUI, use an FTP client to change file or directory permissions.
Create a New .htaccess File
A 403 error can be the result of improper .htaccess file configuration. The .htaccess file controls the high-level website configuration.
Follow the steps below to check if the .htaccess file is the cause of the 403 error:
1. Find the .htaccess file via your file management software (e.g., cPanel) or via an sFTP or FTP client.
2. Right-click the .htaccess file and select Download to create a local backup.

3. Next, click Delete to delete the file.
4. Visit your website. If the 403 error no longer appears, it means that the .htaccess file was corrupt.
5. Now you need to generate a new .htaccess file. Log in to your dashboard and click Settings > Permalinks.

6. Don’t make any changes. Just click the Save Changes button to create a new .htaccess file.
Visit your website to check if the error is fixed.
Enable Directory Browsing
If the website shows a 403 error when you’re trying to browse a directory, you may need to enable directory browsing in your web server software. You can turn on directory browsing in the config file. If you don’t feel confident editing the config files yourself, seek help from a web master or your hosting provider.
The following examples show how to enable directory browsing in different web servers:
- IIS Express
1. Open the Web.config file of your project.
2. Add the following tags within <system.webServer>:
<directoryBrowse enabled="true" />
<modules runAllManagedModulesForAllRequests="true" />
- Nginx
Change the autoindex value to on in the config file:
The following is an example of the config file with the on value for autoindex.
server {
listen 80;
server_name phoenixnap.com www.phoenixnap.com;
access_log /var/...........................;
root /path/to/root;
location / { index index.php index.html index.htm; }
location /somedir { autoindex on; }
}
Apache
You have to specify the DirectoryIndex directive in the site’s .conf file (found in /etc/apache2/sites-available on Linux).
Turn on directory browsing in the Options directive. Following is an example of the .conf file with directory browsing turned on:
<Directory /usr/local/apache2/htdocs/listme>
Options +Indexes
</Directory>
Contact the Hosting Company
The reason for the 403 Forbidden error could be with the hosting company and not with you. If everything else fails to remove the error, get in touch with your hosting company and let them check what could be causing the issue.
Disable WordPress Plugins
Sometimes, a faulty or incompatible plugin is what causes a 403 forbidden error. You can try to fix the error by disabling all plugins to check if the error goes away.
Follow the steps below to disable all plugins:
1. Log into the WP Admin and navigate to Plugins > Installed Plugins.
2. Select all plugins, choose Deactivate from the drop-down menu and click Apply.
3. Try to access your website. If there is no 403 forbidden error, that means that the cause was one of the plugins.
4. Now enable one plugin at a time to determine which one is causing the 403 error. When you find the root of the problem, update or remove the plugin or install an alternative one to resolve the issue.
Check the A Record
One of the reasons for the 403 Forbidden error can be a domain name pointing to the wrong IP address, where you don’t have the permission to view the content. This happens when the A record of a migrated website still points to the old IP address.
Follow the steps below to check if the domain A record points to the right IP address:
1. Log in to cPanel.
2. In the Domains section, click DNS Zone Editor.

3. In the list of DNS records, find the record with the A label in the Type column.

4. Check if the A record IP address in the Record column is correct. If it’s wrong, click Edit to change it.
5. Click Update to finish.
Revisit the website to see if the issue has been resolved.
Scan for Malware
Having malware on your web server can cause the 403 Forbidden error. The malware can keep injecting unwanted lines into the .htaccess file, and that way the error persists even if you generate a new .htaccess file.
Use a security plugin to scan your web server for malware and remove it if any is found. Most plugins also offer actions when detecting malware infected files, such as deleting the infected file or restoring it.
Some of the best security plugins for WordPress are Sucuri, Wordfence, Defender, etc.
How to Fix the 403 Forbidden Error (Tips for Site Visitors)
If you are a site visitor that has encountered the 403 error, below is a list of things you can try to fix the issue.
Check URL
A wrong URL is a common cause of the 403 Forbidden error. Make sure that you’re trying to access an actual webpage instead of a directory.
Many websites don’t allow visitors to browse through directories, so if you are trying to acces a directory, you will likely get a 403 Forbidden error.
Clear History/Cache
Your browser stores cached webpages to load them faster the next time you visit them. Sometimes the website link has been updated, making the actual link different from the cached version. Loading the cached version then results in a 403 error.
The stored cookies on your browser can also cause the 403 error. If the cookies are invalid or corrupted, they can cause improper server authentication. Clearing browser cache and cookies should resolve this issue.
Note: Clearing the browser cache and cookies means that the next time you load the webpage, your browser requests all the site files again, making it load slower. Clearing the cookies also signs you out from all logged-in websites.
Follow the steps below to clear the cache and cookies on Google Chrome:
- Click the three-dot button on the top right corner and select Settings.

2. Find the Privacy and security section and click Clear browsing data.

- In the drop-down menu, select the data deletion time frame.
- Check the Cookies and other site data and Cached images and files options and click Clear data.

Try to reload the site to see if the problem persists.
Log in
A 403 Forbidden error code could sometimes appear because you need to log in to a website to access a page. If possible, log in with your credentials to gain access to the content.
Note: Although the 401 error is usually displayed when you need special permission to access content, sometimes the 403 Forbidden error is displayed instead.
Reload the Page
Sometimes, reloading the page is the trick to getting around the 403 Forbidden error. Each browser has its own reload button near the address bar. Press Ctrl+F5 on Windows and Linux or Cmd+Shift+R on Mac to reload the page if you prefer using the keyboard.
Try Later
If you aren’t the only one denied access to the website, then the problem is usually with the host. Revisit the site later and see if the issue has been resolved.
Contact Your ISP
If you cannot get around the 403 error on a website, but it works for other people, contact your internet service provider (ISP).
Your IP address could be added to a blocklist, and it is causing the 403 forbidden error. In that case, your ISP cannot help you, and the only way to access the website is to use a VPN.
Conclusion
High website availability provides the best user experience and shows reliability. That is why website owners try to keep their site available at all times and invest in website maintenance services.
Preventing or quickly resolving HTTP errors is crucial if you want to retain your visitors. After reading this guide, you should be able to promptly fix the 403 Forbidden error and keep your business running.





















