Errors on a website can come from multiple sources and are never pleasant, especially when they are intermittent. Recently, a client contacted us with a problem of HTTP 403 error (not a 500 error problem) on their website that was occurring randomly.
What Is an HTTP Status Code?
An HTTP code, or HTTP status code, is a numerical response that a web server returns when you (or your browser) make a request to that server. For example, when you type a URL into your browser, it sends a request to the server hosting that URL, and the server responds with an HTTP code.
HTTP codes are essential to the functioning of the web, as they provide information on the success or failure of a request. Here are the broad lines of possible HTTP codes:
- 2xx Codes: Codes between 200 and 299 are HTTP status codes indicating a successful response. They signal that the client’s request has been accepted and successfully processed by the server. These codes are generally associated with successful responses in the HTTP protocol, meaning the request has been successfully executed and the requested resource has been successfully returned to the client.
- 3xx Codes: HTTP status codes between 300 and 399 are redirection codes. They indicate that the client must take additional action to complete the request. This usually means that the requested URL has been changed or moved, and the client is redirected to this new location.
- 4xx Codes: HTTP status codes ranging from 400 to 499 represent visitor-side errors. They signal that the client’s (visitor’s) request could not be processed, often due to a problem with the request itself. Our infamous 403 error belongs to this category.
- 5xx Codes: HTTP status codes from 500 to 599 indicate a server error. This means that the server couldn’t fulfill a valid request, usually due to a problem with the server itself.
What Is a 403 Error?
A 403 error, also called “Access Forbidden,” is an HTTP status code that signifies that a user is trying to access a resource on the web server for which they do not have permission. In the case of the 403 error, the server understood the request but refuses to satisfy it because of access restrictions.
With this information, all that’s left to do is identify why the authorization is being denied!
Main Causes of a 403 Error in WordPress
There are several common reasons that can result in a 403 error on your WordPress site. Here are the most common:
- Incorrect file permissions: The files and folders on your web server have permissions that determine who can read, write, and execute these files. If these permissions are improperly set, this can lead to a 403 error.
- .htaccess file issues: The .htaccess file is a powerful configuration tool that WordPress uses to manage permalinks and redirection. However, a corrupt or misconfigured .htaccess can result in a 403 error.
- Plugin issues: Some plugins can cause 403 errors, especially those that handle security aspects (e.g., Wordfence, iThemes Security, etc.) or redirections (e.g., Redirections) of your site.
- Firewall or security settings: A firewall or overly strict security configuration can be the cause of 403 errors, especially if these settings are misconfigured and block access to certain parts of your website.
Note: Resolving these issues requires advanced technical knowledge and access to your server or hosting account. If you’re unsure how to proceed, it’s advised not to improvise and contact an expert.
The first three causes can often be fixed directly by an experienced developer. However, if the issue is related to server security, the resolution will depend on your type of hosting.
Server Security and Firewalls
Several web hosts offer services that use cPanel and WHM (Web Host Manager). These solutions often come with firewalls to lessen the impact of attacks or bots that can consume too many resources on your account.
The most popular technologies include:
- ConfigServer Security & Firewall (CSF): A very popular security suite for Linux among cPanel users. CSF offers a wide range of features, including IP address blocking, anti-flood protection, country blocking, brute force attack protection, and much more.
- Advanced Policy Firewall (APF): While less known than CSF, APF is an extremely reliable firewall based on iptables rules (a firewall management system for Linux). APF is easy to use, flexible, and provides solid protection against common attacks.
- ModSecurity: An open-source web application firewall (WAF) that can be used to protect web applications against various attacks, such as SQL injections, brute force attacks, and XSS attacks. ModSecurity is often used in conjunction with other firewalls to provide an additional layer of security.
- cPHulk: This is a tool built into cPanel that provides protection against brute force attacks. It blocks IP addresses that have too many failed login attempts over a certain period of time.
- Evasive (Apache module): This module is an indispensable defense tool against denial of service (DoS) and distributed denial of service (DDoS) attacks. It provides real-time protection against attacks by monitoring traffic patterns and blocking suspicious IP addresses. If your WordPress site experiences a sudden increase in traffic or suspicious requests, mod_evasive can help neutralize the threat before it disrupts your site.
- Imunify360: An all-in-one automated security solution for Linux servers. As a security suite that uses machine learning technology, it provides proactive protection to spot the latest threats. Imunify360 includes a multitude of features, such as advanced intrusion detection, intrusion prevention system (IPS/IDS), web application firewall (WAF), malware protection, and many other essential tools for security.
It is important to note that using these firewalls requires some technical knowledge for proper and effective configuration. Remember, the security of your WordPress site depends on the robustness of your protection measures.
If you don’t use cPanel/WHM, it’s not uncommon to find tools like FirewallD and/or Fail2ban that act in a similar way.
And our client?
In our client’s case, it was ultimately ModSecurity that contained rules that were far too strict for his visitors. The configuration was reviewed and the problems disappeared as if by magic… except there wasn’t anything magical about it!