Introduction

A 403 Forbidden error means the web server understood the request but refused to serve the page. On WordPress sites, this often happens because permissions, security layers, or rewritten access rules block traffic that used to work normally.

Symptoms

  • wp-admin or specific pages return 403 Forbidden
  • The homepage works but login, uploads, or plugin actions fail
  • The issue appeared after adding a security plugin or firewall rule
  • XML-RPC, REST API, or AJAX requests fail while normal pages load
  • Server logs show denied access rather than missing files

Common Causes

  • File or directory permissions are too restrictive or inconsistent
  • .htaccess rules deny access to needed WordPress routes
  • A security plugin or WAF blocks requests as suspicious
  • Ownership mismatches stop PHP from reading or writing expected files
  • Hotlink protection, IP restrictions, or country blocks catch valid traffic

Step-by-Step Fix

  1. Check the affected URL in web server logs and identify whether the block comes from Apache, Nginx, a plugin, or an external firewall.
  2. Verify standard WordPress permissions, using directories that can be read and files that can be served without granting overly broad access.
  3. Restore a clean .htaccess file or regenerate rewrite rules from WordPress settings if you recently edited access directives.
  4. Temporarily disable the security plugin, bot filter, or firewall rule that most recently changed and test the failing route again.
  5. Review ownership and deployment permissions so PHP and the web server can access the correct files after updates.
  6. Check whether REST API, AJAX, or login endpoints are specifically blocked by ModSecurity, fail2ban, or custom location rules.
  7. Re-enable protections one layer at a time and add a narrow exception only for the legitimate route or pattern being blocked.
  8. Test wp-admin, media uploads, plugin updates, and the front end after each fix so you confirm the correct layer caused the denial.
  9. Keep the final access policy documented so future hardening changes do not silently lock out the site again.