Site Analysis
 ...
PricingToolsBlog
 ...
LoginSign up

Error 403 Forbidden: Causes and How to Fix It (Nginx, Apache, WordPress, Cloudflare)

Quick Summary

A 403 Forbidden error means the server received a request but refused to grant access. Most of the time, the culprits are file and folder permissions, access rules in Apache or Nginx, authorization issues, WAF and anti-bot settings, or restrictions from a CDN or hosting provider. Below is a quick diagnostic checklist, along with typical causes and solutions for both users and site owners.

Who is this for?

  • Website and online store owners
  • SEO specialists
  • Developers and administrators
  • Anyone seeing 403 errors in Google Search Console

4xx response codes indicate that the server couldn't fulfill a request due to an issue with the request itself or access restrictions. An Error 403 Forbidden appears when the server understands the request but refuses to deliver the content. The page exists, but access to it is blocked.

How a 403 may look in your browser:

  • 403 Forbidden
  • Access is denied
  • You don’t have permission to access
  • 403 Forbidden – nginx
  • HTTP Status 403

The bottom line is the same: access is forbidden.

Go ahead and check what code the server is sending back. A quick way to do this is to open the header checker on PR-CY, paste in the URL, and take a look at the response status, any redirects, and the important headers.

Why Does a 403 Forbidden Error Happen? The Reasons Access is Denied

A 403 error occurs when access is restricted by rules on the website, server, or an external security system. Sometimes this is expected, like for an admin panel. Other times, it's a configuration mistake, and regular visitors, search engine bots, or even your own frontend get a 403.

403, 401, 404, 429: What's the Difference?

Code What it Means Typical Scenario
401 Authentication required Missing token, expired token, wrong password
403 Access forbidden Insufficient permissions, WAF triggered, IP ban, restricted directory
404 Page not found Incorrect URL, page deleted, routing error
429 Too many requests API rate limits, bot protection, bulk checks

The most common causes of a 403 error:

  • Authorization and roles. The user isn't logged in or doesn't have the necessary permissions.
  • File and folder permissions. The web server can't read a file or enter a directory.
  • Access rules in Apache or Nginx. Incorrect Require or allow/deny directives, or IP-based restrictions.
  • WAF, anti-bot, CDN. Systems like Cloudflare, AWS WAF, or ModSecurity block the request and return a 403.
  • Hotlink protection. Images or files are blocked from being loaded on other domains.
  • Geoblocking and network restrictions. Access is blocked based on country, provider, or a corporate network.
  • Errors after a migration. A DNS change, CDN setup, or moving to a new server with forgotten allowlist rules.

FAQ

Does 403 Forbidden mean the page is gone forever? Nope! Most of the time, the page is still there, but access is restricted by server, application, or security rules.

Can I fix a 403 just by clearing my cookies? Sometimes, yes, if the problem is with your session or authentication tokens. But if the server is sending the 403 because of permissions, a WAF, or its configuration, clearing your browser data won't help.

Are 403 and 401 the same thing? No. A 401 error usually means you need to provide valid credentials (like a password), while a 403 means access is denied even if your request is technically valid.

User-Side 403 Error: What to Do in Your Browser

User Isn't Logged In

If a page is only for registered users, just log into your account. For the website owner, this is a sign to check if there's a proper redirect to the login page.

Incorrect URL or Following an Old Link

Sometimes, a 403 error pops up because a user landed on a restricted section using a direct link. From a UX perspective, it's much better to guide them to a clear page that explains what's happening and offers action buttons.

If the issue is with authorization, the visitor should be taken to a login form. This is usually handled by redirecting guest users to the login page.

If visitors often land on restricted URLs from your own site, it's a good idea to check your navigation and internal links. Enter the page URL here to check for broken links.

IP Ban, VPN, or Corporate Network

You might see a 403 error when trying to access a site through a VPN or a network with a shared IP address. Try accessing the site without a VPN and from a different network, like your mobile data, home internet, or another Wi-Fi spot.

Glitch with Cookies, Session, or Cache

If you get a 403 error after logging in or when submitting a form, the problem is often related to your cookies and session. Try these steps:

  1. Open the site in Incognito mode. This is a quick way to rule out issues with extensions and old cookies.
  2. Clear the site's data. In Chrome, you can do this by clicking the lock icon next to the site's address → Site settings → Clear data, or by going to chrome://settings/siteData.
  3. Do a hard refresh. Pressing Ctrl + F5 (or Cmd + Shift + R on Mac) reloads the page without using the cache.

Antivirus, Extensions, or Blockers

Some security software and browser extensions can block access to specific websites and scripts. Try accessing the site in a different browser and temporarily disable any blockers for that domain.

Connect your website to our service to track its rankings and spot any errors in the most comfortable way possible. You'll get notifications about all changes on your site within 24 hours — well before any issue has a chance to become serious.

FAQ

How can I quickly fix a 403 error in my browser? First, make sure you're logged into your account. Then, try opening the site in Incognito mode, clearing the site's data, and connecting from a different network without a VPN.

Why does the 403 error only appear on one network? Most often, this is due to a block based on your IP, country, or provider, or because of corporate network rules. It could also be a restriction from a CDN or an anti-bot system.

Does a 403 error caused by cookies happen to all users? Usually, no. It's more common for users with an outdated session, a conflict between browser extensions, or corrupted cookies.

403 Error on Your Site: How to Fix It on the Server and in Your CMS

If your visitors are seeing a 403 error, the first step is to figure out where the block is happening: in the application, on the web server, or at the CDN and WAF level. The quickest way to find out is by checking the response headers and logs.

File and Folder Permissions

For Linux hosting, a common setup often looks like this: 644 for files, 755 for folders. The key is that the web server must be able to read the file and have permission to enter every directory along the path to it.

No Index File or Directory Access Is Forbidden

If a directory is requested but there's no index file and directory listing is forbidden, the server will return a 403. In Nginx, you'll often see an error like "directory index of ... is forbidden."

Check these things:

  • The list of index files. In Nginx, this is the index directive; in IIS, it's the default documents list.
  • The path to the site's root. Mistakes with root and alias directives in Nginx often lead to 403 errors.
  • Permissions for parent directories. Even if the file itself is readable, a missing execute permission on a folder in its path will cause a 403.

Apache 2.4 and .htaccess: Access Directive Conflicts

In Apache 2.4, the modern way to control access is based on the Require directive. If you mix old directives like Order, Deny, and Allow with the new ones, you can easily get an unexpected 403.

Make sure your access rules are set up consistently and that the server is actually reading the .htaccess file in the correct directory.

WordPress and Security Plugins

For WordPress, a 403 error is often caused by:

  • A security plugin. For instance, it might be blocking the login page, wp-admin, or the REST API.
  • A corrupted .htaccess file. Sometimes, simply regenerating your permalink rules can fix the issue.
  • CDN and WAF. After setting up Cloudflare or similar services, some requests in the admin dashboard might get flagged by anti-bot measures or managed rules.

A handy way to diagnose this is to temporarily disable your plugins by renaming the wp-content/plugins folder and see if the 403 error disappears. Then, you can re-enable them one by one.

WAF, ModSecurity, and False Positives

A WAF can block requests and return a 403 even for normal actions like submitting a form, publishing text, or uploading a file. This is a classic case of a false positive from one of its rules.

What to do:

  • Look at the block event. You'll need the time, URL, IP address, user-agent, and the specific rule that was triggered.
  • Check the WAF logs. For ModSecurity, you'd often look at the audit log file. On a hosting plan, you might need to contact support.
  • Add an exception. Disable the specific rule for a particular path or parameter, rather than turning off the entire WAF.

CDN and Cloudflare: 403 and Error 1020

On Cloudflare, you might encounter a 1020 Access Denied block. This means the request was caught by a firewall rule. For the site owner, the key clue is the Ray ID in the error message, which you can use to find the event in your security logs.

API, CORS, and CSRF

A 403 might not show up on a page but on your frontend's requests:

  • CORS preflight. The browser sends an OPTIONS request, and the server responds with a 403. As a result, the actual request fails with what looks like an access error.
  • CSRF protection. The framework blocks a request that's missing a CSRF token or has an incorrect Origin or Referer header.
  • Lack of permissions. The user is logged in, but their role doesn't allow the action, so the application returns a 403.

IIS: Sub-status Codes Help Pinpoint the Cause

If your site is on IIS, it's helpful to look at sub-status codes like 403.14 or 403.7. For example, 403.14 often means directory listing is forbidden and there's no default document, while 403.7 means a client certificate is required.

Hotlink Protection

When hotlink protection is enabled, images and files might return a 403 if someone tries to load them from a different domain. This often shows up as broken CSS, images in emails, or product cards if resources are being pulled from the wrong domain.

FAQ

How can I tell if a 403 is from the server or a CDN? Look at the response headers and the error body. CDNs often have their own identifiers, like a Ray ID. You can also try accessing the URL directly on your origin server, bypassing the CDN.

What permissions should I set for files and folders to get rid of a 403? Often, 644 for files and 755 for folders is enough. The important thing is to ensure the web server has access to all parent directories in the path.

Why did I start getting a 403 after setting up Cloudflare or a WAF? Your requests might have been flagged by managed rules, anti-bot protection, rate limiting, or other firewall rules. Look for the block event in your security logs and adjust the rule accordingly.

403 Error from Hosting, CDNs, and Providers: Restrictions and Blocks

Blocks by IP, Country, or Provider

Some websites limit access based on geography or specific IP subnets. You'll often see this with CDNs, in hosting control panels, on corporate networks, and when meeting compliance requirements.

Resource Limits and Anti-Bot Measures

If a website gets a ton of requests or your activity looks like a bot, the hosting service or security system might restrict your access. Technically, a 429 error is more correct for rate limiting, but some systems still use a 403 by default.

Non-Payment, Service Suspension, or Provider Rule Blocks

A 403 error can pop up if a service has been suspended or an account is restricted. A quick way to check is to look at your hosting panel and any notifications from your provider.

After a Migration: DNS, New IP, or Connecting a CDN

When moving a website, it's easy to forget about things like allowlist rules, IP restrictions, or virtual host settings. If you see a 403 error right after changing your DNS or connecting a CDN, be sure to check:

  • Does the domain match the CDN settings? With some CDNs, a 403 error appears if the domain points to the CDN but hasn't been added to the configuration.
  • Is the origin blocking the CDN's IP addresses? If your origin server is blocking the CDN's subnets, requests will fail.
  • Certificates and SNI. An incorrect link between a domain and its certificate can sometimes lead to error responses on the edge servers.

Static Files and Object Storage: S3 and CloudFront

If your site or files are served from object storage, a 403 error often points to a problem with an access policy or a public access block. In a CloudFront + S3 setup, a common cause is an improperly configured origin access, like not having the correct OAC (Origin Access Control) or bucket policy.

Good to know: Starting in 2024, Amazon S3 is adding more context to 403 Access Denied messages for requests within the same account, which helps you find the cause much faster.

FAQ

Why did a 403 error appear after moving my site to a new server? Most of the time, it's related to the website's root path, file permissions, access rules, or forgotten IP and WAF restrictions.

Can a 403 error be caused by exceeding request limits? Yes! Semantically, a 429 error is the right one to use, but some security systems default to a 403 when a limit is exceeded.

How can I tell if a 403 error is related to a geo-block? Try accessing the site from different countries using external checking tools and take a look at the geo-restriction settings in your CDN and WAF.

What's Changed by 2026: New Reasons for Error 403

  • CDNs and WAFs have become more aggressive. Anti-bot systems, JS challenges, CAPTCHAs, and managed rules are now more likely to block legitimate requests and return a 403 error.
  • Cloudflare's 1020 error is more common. To diagnose it, you'll need the Ray ID and to look for the event in Security Events.
  • Verifying search engine bots has gotten easier. Google now publishes JSON IP ranges for its crawlers and provides clear instructions for verification using reverse and forward DNS. This helps prevent accidentally blocking Googlebot.
  • More 403s on APIs. Common causes include CORS preflight on OPTIONS requests, CSRF checks, and role-based restrictions.
  • Limits and quotas are becoming more standardized. For rate limiting, the 429 status code and headers like Retry-After are increasingly used, but 403 still pops up in default protection setups.

FAQ

Why is the 403 error more common than before? Because bot protection and WAFs have become standard even for small websites, and their rules sometimes block normal user actions.

How can I avoid blocking Googlebot and losing my site's indexing? Don't rely just on the User-Agent. Verify the bot using reverse DNS and check if the IP address is within Google's published ranges.

Are 403 and 1020 the same thing? Not exactly. 1020 is a Cloudflare-specific code found in the response body, but the HTTP status code you'll usually see is also 403.

403 Forbidden Diagnostic Checklist: How to Quickly Find the Source

  1. Pinpoint the URL and scenario. Where exactly is the 403 happening: the homepage, a category page, a specific file, an API endpoint, the admin panel, or during an image upload?
  2. Check the status and redirects. A good place to start is by checking the response headers.
  3. Compare a guest vs. a logged-in user. If only guests get the 403, the cause is likely related to access permissions or redirects.
  4. Compare different networks and IPs. Testing without a VPN can quickly reveal blocks based on geolocation or subnets.
  5. Look at the response headers. Search for signs of a CDN or WAF, an event ID, or hints in the error body.
  6. Check file permissions and ownership. For Nginx, the permissions for the entire path to the file are important.
  7. Check access rules. Look at Apache's Require, Nginx's deny/allow directives, and any rules in your hosting control panel.
  8. Open the logs. For the server, check the access/error log; for a WAF, look at block events; for a CDN, check the security events.
  9. For WordPress, temporarily disable security plugins. Then check if the 403 error on wp-admin and wp-login disappears.
  10. For APIs, check OPTIONS and CSRF. Sometimes the 403 only appears on the preflight request or POST requests.

FAQ

Where should I start if a 403 error suddenly appears? Start by checking the response headers and comparing different scenarios: try a different browser, incognito mode, a different network, and guest mode.

Why are my users getting a 403 error, but I'm not? It's often due to differences in IP address, geographic location, cookies, anti-bot rules, or other conditions that don't trigger for every single visitor.

What's the single most useful clue for finding the cause? The block logs. They show you exactly what denied access and why.

How 403 Affects SEO and Indexing: Google Search Console

If important pages return a 403 error to search engine bots, they will be dropped from the index. In Google Search Console, this usually appears as an indexing problem with a reason like "Blocked due to access forbidden (403)."

What to check if the 403 is related to bots:

  • Is a WAF blocking the bot's requests? Anti-bot systems and rate limits are often the culprits.
  • Have you blocked access based on geo-location? Bots have different crawl locations, so country-based restrictions can sometimes block some of their traffic.
  • Have you confused a 403 with a block via robots.txt? Robots.txt asks a bot not to visit, while a 403 forbids access at the server level.
  • Verify that the requests are actually from Google. Google describes how to verify this using a reverse DNS lookup and by checking the IP against its published ranges.

If you see 403 errors on pages that should be indexed, fix the cause and request a re-crawl in your webmaster tools. The sooner the bot sees a 200 status code, the faster your visibility will be restored.

FAQ

Is a 403 more harmful to SEO than a 404? Both 403 and 404 errors lead to a URL being dropped from the index if the error persists. For content that has been permanently removed, a 410 status code is typically chosen over a 403.

Why does the bot get a 403 while a regular user can see the page? This can happen because of a WAF, anti-bot systems, geo-blocking, or IP restrictions. The bot comes from a different IP and gets caught by these rules.

Can I just allow the Googlebot User-Agent? That's risky. The User-Agent is easy to spoof. It's better to verify the bot using its DNS and IP ranges.

Action Plan to Quickly Fix a 403

  1. Check the status and redirects for the URL.
  2. Open the site in an incognito window and from a different network without a VPN.
  3. Compare the experience of a guest versus a logged-in user.
  4. Look at the response headers and for any signs of a WAF or CDN.
  5. Check permissions, access rules, and block logs.

🍪 By using this website, you agree to the processing of cookies and collection of technical data to improve website performance in accordance with our privacy policy.