403 Forbidden Error

Errors & Troubleshooting | Updated March 2026

A 403 Forbidden error means the server understood your request but refuses to fulfill it. Unlike a 404 (page not found) or 500 (server error), a 403 means the file exists but something is blocking access to it. On our servers, the cause is almost always file permissions, .htaccess rules, directory index settings, or ModSecurity. This guide covers each one with the fix.

In This Guide
  1. File and Directory Permissions
  2. htaccess Blocking Access
  3. No Directory Index
  4. ModSecurity Blocking
  5. IP Restrictions
  6. CMS-Specific 403 Errors
Most Common Fix

Check Permissions First

90% of 403 errors on shared hosting are caused by wrong file permissions. The correct settings are:

  • ✓ Directories: 755
  • ✓ Files: 644
  • ✓ Fix all at once via SSH: find ~/public_html -type d -exec chmod 755 {} \; && find ~/public_html -type f -exec chmod 644 {} \;

01. File and Directory Permissions

CloudLinux with suPHP/LSAPI requires that files are owned by your cPanel user and have appropriate permissions. If a file is set to 777 (world-writable), the server rejects it as a security risk. If a directory is set to 600 (owner-only), the web server can't read it.

Correct Permissions

  • Directories - 755 (owner: read/write/execute, group+others: read/execute)
  • PHP files - 644 (owner: read/write, group+others: read)
  • .htaccess - 644
  • wp-config.php - 640 or 644

Fix All Permissions

In cPanel > Terminal or via SSH:

find ~/public_html -type d -exec chmod 755 {} \;
find ~/public_html -type f -exec chmod 644 {} \;

Ownership Issues

If fixing permissions doesn't help, the files may be owned by the wrong user (e.g., root or nobody instead of your cPanel username). This happens after restoring backups or running scripts with elevated privileges. Contact support to fix ownership, as it requires server-level access.

02. .htaccess Blocking Access

Your .htaccess file may contain rules that deny access. Common examples:

# This blocks everyone
Order Deny,Allow
Deny from all

# This blocks specific IPs
Deny from 123.45.67.89

# This blocks by user agent
RewriteCond %{HTTP_USER_AGENT} (BadBot) [NC]
RewriteRule .* - [F,L]

To test, temporarily rename .htaccess to .htaccess_backup via File Manager or FTP. If the 403 goes away, the problem is in that file. Review each rule to find which one is blocking legitimate access.

Tip

Check for .htaccess files in subdirectories too, not just the root. An .htaccess in /public_html/wp-admin/ or /public_html/images/ can block access to that specific directory while the rest of the site works fine.

03. No Directory Index

If you visit a directory URL (like yourdomain.com/images/) and there's no index.html or index.php in that directory, the server returns a 403 instead of listing the directory contents. This is correct security behavior; you don't want directory listings publicly visible.

Fix Options

  • Add an index file - create a blank index.html in the directory
  • Link directly to files - instead of linking to the directory, link to the specific file (e.g., /images/photo.jpg)
  • Enable directory listing (not recommended) - add Options +Indexes to .htaccess. Only do this for directories you intentionally want browsable

04. ModSecurity Blocking

Our servers run ModSecurity (a web application firewall) that blocks requests matching known attack patterns. Occasionally it triggers a false positive on legitimate requests, returning a 403.

How to Identify

Check cPanel > Errors. ModSecurity blocks show messages containing ModSecurity with a rule ID number. The error log entry tells you exactly which rule triggered and what part of the request it flagged.

How to Fix

If a ModSecurity rule is blocking legitimate functionality on your site, open a support ticket with the error log entry. We can add an exception for the specific rule on your account without disabling security for the entire server.

Warning

Don't ask to disable ModSecurity entirely. It protects your site from SQL injection, cross-site scripting, and other attacks. We can whitelist specific rules or URLs while keeping protection active for everything else.

05. IP Restrictions

Your IP may be blocked by the server firewall (CSF), by IP restrictions in cPanel, or by .htaccess rules.

Server Firewall (CSF)

If you see a 403 on the entire site (not just one page), your IP may be blocked by CSF after too many failed login attempts. Visit my.ultrawebhosting.com to unblock yourself.

cPanel IP Blocker

Check cPanel > IP Blocker to see if your IP (or a range that includes it) has been blocked. Remove any entries that shouldn't be there.

Directory Privacy

If the 403 only affects a specific directory, check cPanel > Directory Privacy. Password-protected directories return 403 if you cancel the login prompt.

06. CMS-Specific 403 Errors

WordPress

A 403 on wp-admin or wp-login.php is often caused by security plugins (Wordfence, iThemes Security) that block access by IP, country, or login attempt count. Rename the plugin's folder via FTP to regain access, then adjust the settings.

Drupal

After a fresh Drupal install, a 403 on the homepage usually means the .htaccess RewriteBase isn't set correctly. Open .htaccess and uncomment RewriteBase / (or set it to your subdirectory if installed in one). Also verify clean_urls is enabled in Drupal's settings.

Joomla

Joomla 403 errors are often caused by the .htaccess file not being renamed from htaccess.txt to .htaccess, or by RewriteBase being set incorrectly for subdirectory installations.

Still Getting 403 Errors?

If you've checked permissions, .htaccess, and ModSecurity without finding the cause, open a ticket with the exact URL that's returning 403 and the error log entries. We can check the server-side configuration.

Open a Support Ticket

Quick Recap: Fix 403 Errors

If you only do 5 things from this guide, do these:

  1. Fix permissions - directories 755, files 644
  2. Test .htaccess - rename it to see if the 403 goes away
  3. Check the error log - cPanel > Errors shows what's blocking access
  4. Check your IP - unblock at my.ultrawebhosting.com if needed
  5. Check ModSecurity - look for rule IDs in the error log, contact support for exceptions

Last updated March 2026 · Browse all Troubleshooting articles · See also: 500 Errors | 508/503 Errors

  • 530 Users Found This Useful

Was this answer helpful?

Related Articles

Unable to Include Potential Exe - ModSecurity Error

Errors & Troubleshooting | Updated March 2026 The error "Unable to include potential exe"...

Account's error_log produces flood of missing modules

 Account's error_log produces flood of missing modules. Ex:   From error_log:     [23-Apr-2018...

central_filter defer (-17): error in filter file: unknown filtering command r_subject: near line 22 of filter file

The error "central_filter defer (-17): error in filter file: unknown filtering command r_subject:...

403 Error on POST

This can occur for several reasons: Be sure your file permissions are correct. If the file needs...

Error 406 unacceptable

Errors & Troubleshooting | Updated 2026 A 406 "Not Acceptable" error means the server...



Save 30% on web hosting - Use coupon code Hosting30