403 Forbidden in WordPress – causes and solutions

A 403 Forbidden error on your WordPress site is frustrating, but it’s usually straightforward to fix once you address the underlying cause step by step.

Encountering a 403 Forbidden error on your WordPress site can be very frustrating. This error appears when the server understands the request but refuses access to the requested page or resource. For you as a site owner that’s disruptive, because it breaks your site unexpectedly. Fortunately, a 403 message is often relatively easy to resolve by tackling the underlying cause. In this article I explain what the 403 Forbidden error means, which common causes it can have on a WordPress site, and how you can fix the problem step by step.

What does the 403 Forbidden error mean?

A 403 Forbidden is an HTTP status code that indicates the server forbids access. In other words: the server understands your request, but does not execute it because you have no permission for that page. On a WordPress site this usually means something is wrong with permissions or security. Often the server blocks access because of incorrect file permissions, a plugin, or a security rule that’s configured too strictly. You might see this error when logging into wp-admin or visiting a specific page, while visitors may feel like the whole site is inaccessible. The good news is that—even though this message can be alarming—the cause is usually traceable and fixable.

Common causes on a WordPress site

There are several potential causes for a 403 Forbidden error in WordPress. Below are the most common issues that can trigger this error, with a short explanation:

  • Incorrect file permissions – If folder and file permissions are too strict, the server can block access. WordPress files and folders need the right permissions (for example 755 for folders and 644 for files) to be accessible. If the permissions are stricter than necessary, any access request may result in a 403 Forbidden error.
  • Corrupted or incorrect .htaccess file – The .htaccess file (a configuration file for your web server) controls important access rules. If this file is corrupted or contains wrong rules, it can create access conflicts and lead to a 403 error. A single bad rule in .htaccess can block certain pages or actions.
  • Security or firewall plugin blocks access – Many WordPress security plugins (such as firewalls) can be configured too aggressively. They then block certain users or actions even though they are legitimate. For example: a plugin that bans IP addresses can accidentally block your IP or treat legitimate requests as an attack, resulting in a 403.
  • IP blocked by server firewall (e.g., ModSecurity) – Apart from plugins, hosting servers often have their own security layer. A common one is ModSecurity, a web application firewall that can block suspicious request patterns. When such a firewall is triggered by your visit or action, you see a 403 Forbidden. This can happen spontaneously, even if you didn’t change anything on the site, for example due to a word or action that triggered the firewall.
  • Hosting provider restricted access (malware alarm) – Some hosting providers intervene and restrict access to (parts of) your site if something serious is detected, such as malware. Malicious code placed on your site can trigger firewall rules, causing the server to block access as a precaution. In that case the host can temporarily lock down the site until the issue is resolved.
  • Hotlink protection or disabled directory listing – Hotlink protection prevents other sites from loading your images or media directly. If this setting is misconfigured, it can also block legitimate requests from your own site, resulting in 403 errors. Likewise, servers usually return a 403 Forbidden if you try to access a folder without an index file, because directory listing is disabled. In other words, if there is no index.php or index.html in a folder and the server doesn’t show directory contents, you will get a 403 message.

Steps to fix the problem

Do you see a 403 message on your WordPress site? Follow the steps below to solve the problem systematically. Tip: After each step, check whether the site is accessible again so you can see which action had an effect.

  1. Make a backup of your site. Before making any changes, it’s wise to create a full backup of your WordPress site (files and database). That way you can always roll back if something goes wrong. Use a plugin or your hosting backup feature.
  2. Check and correct file permissions. Connect to your server via FTP or your hosting control panel and make sure the permissions are correct for all folders and files. Guideline: set directories to 755 and files to 644. Apply these permissions to all underlying items (recursively). Incorrect file permissions are a common cause of 403 errors, so this is an important step.
  3. Rename the .htaccess file and let WordPress generate a new one. Use FTP or File Manager to temporarily rename the .htaccess file in the root of your WordPress site (e.g., .htaccess_old). This effectively disables the file. Try loading your site. If the site works, your .htaccess was indeed the problem. Then go to Settings > Permalinks in your WordPress dashboard and click Save without changes. WordPress will automatically create a clean new .htaccess, overwriting any corrupt or incorrect rules with the default contents.
  4. Deactivate all plugins (temporarily). Because plugins are often the culprit, it’s smart to disable them all at once as a test. If you can still access wp-admin, deactivate all plugins in one go. If you can’t log in, rename the wp-content/plugins folder via FTP to something like plugins_off to disable all plugins. Then test the site again. If the 403 error disappears, one of the plugins caused it. Rename the folder back to plugins and reactivate plugins one by one until the error returns—this lets you identify the culprit. Replace or update that plugin, or look for an alternative.
  5. Check if your IP address or requests are being blocked. It can happen that your own IP ended up on a blacklist (for example after too many failed logins, or because of server security). Ask your hosting provider if they see anything in the firewall or error logs around the time of the 403 error. In many hosting panels (like cPanel) you can check the IP Blocker or security logs to see whether your IP is blocked. Also try accessing the site from another browser or a different internet connection—if it works there, the issue might be a local block (IP or cookie/cache problem). Ask the host to remove the block or whitelist your IP if that’s safe.
  6. Restore WordPress core files if corruption is suspected. If none of the steps above helped, or you suspect that WordPress core files are damaged, consider replacing the WordPress core files. You can do this by going to Dashboard > Updates in your dashboard and clicking Re-install—WordPress will download the latest core files and overwrite the existing ones (your content remains intact). Alternatively, you can upload the latest WordPress installation files (from wordpress.org) via FTP and overwrite the old core files (always make a backup first). This replaces any corrupt or missing files with clean copies.

When to ask for help

In most cases you can fix a 403 Forbidden error yourself with the steps above. Don’t hesitate to seek help in these situations:

  • You’re not sure what you’re doing: if terms like “FTP”, “.htaccess”, or “file permissions” are confusing, or you’re unsure, bring in an expert. The last thing you want is to create more problems by making the wrong changes.
  • The error keeps coming back: if you tried all solutions but still see the 403 message, something deeper may be happening at server level. In that case it’s advisable to contact your hosting provider’s support team. They can check server logs and firewall settings and solve issues that are not visible to you.
  • Suspected hack or malware: a 403 error can be a symptom of a hacked site, for example if a malicious script changed access permissions. Do you see other signs of a hack (strange files, warnings from Google, or alerts from your security plugin)? Then get professional help immediately. A specialist can scan your site for malware and clean it safely.

Conclusion

In short: a 403 Forbidden error means the server is refusing access to your WordPress site. In most cases the cause is an incorrectly configured permission, a plugin issue, or a security setting. By applying the step-by-step solutions above—from checking file permissions and .htaccess to ruling out plugins and firewall blocks—you can usually make your site accessible again. Always make a backup and seek help if you’re unsure or if problems persist.

Want this to stop being your problem?

If outages or errors keep repeating, the fix is often consistency: updates, backups and monitoring that don’t get skipped.

See managed WordPress hosting

  1. 500 Internal Server Error in WordPress – causes and solutions

    A 500 Internal Server Error can take your WordPress site offline instantly, but the cause is usually traceable and fixable.

    3303 words
  2. There has been a critical error on this website in WordPress – causes and solutions

    The “There has been a critical error on this website” message sounds severe, but it’s usually fixable with a clear step-by-step plan.

    1830 words
  3. White Screen of Death in WordPress – causes and solutions

    The White Screen of Death is a notorious WordPress error where your site shows nothing but a blank white page.

    2620 words