WordPress 403 Forbidden Error
What Is This Error?
A 403 Forbidden error means your web server received your request perfectly fine — but it’s actively refusing to let you through. Think of it like a bouncer who sees you at the door but won’t let you in. You’re not invisible (that would be a 404 Not Found); you’re simply not allowed access at that moment.
This error can pop up in different spots: your homepage, a specific post or page, your wp-admin login screen, or your entire WordPress site at once. The server is essentially saying something is blocking the request before WordPress even gets a chance to load and respond.
The reassuring part is that this is almost always a configuration problem — not a hack, not a database corruption, and definitely not a data loss situation. Your content is still there. You just need to remove whatever is blocking the door.
Why Does This Happen?
- Incorrect file or folder permissions: WordPress files need to be readable by the server but not wide open to the world. If permissions are set too restrictively or incorrectly, the server refuses to serve the files at all.
- Corrupted or misconfigured .htaccess file: The .htaccess file tells Apache how to handle incoming requests. A single bad rule in this file can lock everyone out of your site or specific directories.
- Security plugin blocking your access: Plugins like Wordfence or iThemes Security can mistakenly flag your own IP address or block certain request patterns, resulting in a 403 for legitimate visitors — or even you.
- Hotlink protection rules gone wrong: Some hosting control panels add hotlink protection to .htaccess automatically, and those rules sometimes accidentally block direct page or media access instead of just external embeds.
- Server firewall or IP block: Your hosting provider’s firewall may have blacklisted your IP after several failed login attempts, triggering a blanket 403 for all your requests.
How to Fix It — Step by Step
- Reset file and folder permissions via FTP or SSH. Connect to your site using an FTP client like FileZilla, or SSH into your server. All WordPress files should have permission 644, and all folders should be 755. You can do this recursively with two terminal commands:
find /path/to/wordpress -type f -exec chmod 644 {} \;find /path/to/wordpress -type d -exec chmod 755 {} \;You should see: The commands complete without errors, and reloading your site should no longer return a 403.
- Regenerate your .htaccess file through WordPress. Log in to your WordPress dashboard and navigate to Settings → Permalinks. Without changing any setting, just click the Save Changes button. WordPress will automatically rewrite a clean, valid .htaccess file to your root directory.
You should see: A success notice at the top of the page, and your site URLs loading correctly again.
- Rename the .htaccess file manually if Step 2 didn’t help. Via FTP, go to your WordPress root folder and rename .htaccess to .htaccess_old. Reload your site. If it works, your old .htaccess contained a bad rule. Now go back to Settings → Permalinks and click Save Changes to generate a fresh, clean version.
You should see: Your site loading normally once the old .htaccess is out of the way.
- Deactivate all plugins by renaming the plugins folder. Via FTP, navigate to wp-content/ and rename the plugins folder to plugins_disabled. This force-deactivates every plugin without needing dashboard access. Reload your site. If the 403 is gone, a plugin is the culprit. Rename the folder back to plugins, then reactivate plugins one at a time to isolate the problematic one.
You should see: Your site loading normally after the rename, confirming the issue is plugin-related.
- Contact your hosting provider about firewall or IP blocks. If every step above has failed, your IP may be blocked at the server or ModSecurity level — particularly common after repeated failed login attempts. Reach out to your host’s support team and ask them specifically to check for active IP blocks or ModSecurity rules affecting your account.
You should see: Your host either clears the block directly or identifies the specific rule causing the denial.
Common Mistakes When Fixing This
- Setting permissions to 777 to “just make it work”: This removes the 403 but turns every file on your site into a publicly writable security hole. Attackers can upload malicious files with ease. Always use 644 for files and 755 for folders — nothing looser.
- Only resetting permissions on the root folder: Many people apply the chmod fix to the WordPress root but forget that wp-content, uploads, themes, and plugins subdirectories are separate. The permission reset must be applied recursively across the entire WordPress directory tree.
- Forgetting to re-enable plugins after testing: It’s easy to rename the plugins folder, confirm the fix, breathe a sigh of relief, and then forget to rename it back. Your site would continue running without any plugins active, silently breaking forms, SEO, caching, and other critical functionality.
- Not clearing cache after making changes: After correcting permissions or rewriting .htaccess, a caching plugin or CDN may still be serving the old 403 response from cache. Always purge your site cache and CDN cache immediately after applying any fix, or you’ll think the problem is still there when it’s already resolved.
Frequently Asked Questions
Will a 403 error delete my WordPress posts or media?
No. A 403 error is purely a server access configuration issue. Your posts, pages, and uploaded media remain completely intact in your database and file system. Nothing gets deleted or corrupted — you’re just temporarily blocked from reaching it.
What if only my wp-admin area shows a 403, but the front end is fine?
This pattern almost always points to a security plugin or a specific .htaccess rule targeting the /wp-admin path. Start by renaming your plugins folder via FTP to rule out plugin conflicts. If that fixes it, reactivate plugins one by one. If it doesn’t, open your .htaccess file and look for any rules that explicitly reference wp-admin or xmlrpc.
Can my hosting company cause this error without me doing anything?
Yes, absolutely. Shared hosting environments sometimes update their ModSecurity rulesets or Web Application Firewall policies, and those updates can start blocking legitimate WordPress requests. If you haven’t changed anything on your site and the 403 appeared out of nowhere, your first call should be to your host’s support team to check for recent server-side rule changes.
Will a 403 error hurt my Google rankings?
It can, especially if it persists for more than a few days. If Googlebot crawls your site and hits a 403 on your homepage or key content pages, those pages won’t be indexed or may eventually drop from the index. Fix the error as quickly as possible, then use Google Search Console to request a recrawl of any affected URLs once the issue is resolved.