403 Forbidden Error: Why It Happens and How to Fix It Professionally (WordPress / cPanel / LiteSpeed)

403 Forbidden Error: Why It Happens and How to Fix It Professionally (WordPress / cPanel / LiteSpeed)

A 403 Forbidden response means the server understood your request but refuses access to the requested resource (page, folder, file). In practice, 403 errors are most commonly caused by: incorrect permissions, .htaccess rules, a WAF/security firewall block, IP/country restrictions, or server-side “hotlink/deny” policies.

1) Most common causes of 403 (with quick diagnostics)

1.1 Incorrect permissions (files/directories)

If permissions are incorrect, the server may deny access.

• Directories usually should be 755
• Files usually should be 644
• The main folder public_html must have the correct owner/permissions

Quick test: cPanel → File Manager → select a file/folder → Permissions and verify they look “normal” (755/644).

1.2 .htaccess rules (Deny, Rewrite, hotlink, security rules)

A single wrong line in .htaccess can trigger 403 for the entire site or specific URLs.

• Deny/Require rules that block access
• Hotlink protection that blocks resources
• Incorrect rewrite rules
• Security rules blocking specific query parameters

Quick test: In the site root, rename .htaccess to .htaccess.bak and try again. If it works, the issue is in .htaccess.

1.3 WAF / Firewall blocking (ModSecurity, LiteSpeed WAF, WordPress security plugin)

A 403 is often a “security block,” especially if:

• you log in, submit a form, run checkout, or perform admin actions
• the URL contains a suspicious parameter
• there are many requests in a short time (rate limiting)

Quick test: Check cPanel → Metrics → Errors, or ModSecurity logs if available. Often it will explicitly indicate the request was blocked.

1.4 Blocked IP address or Geo/IP rules

If the server or a plugin blocks an IP, you’ll get 403 only from your network/location.

• Try from mobile data (different IP) or Incognito
• Check whether your security plugin has an IP blocklist

1.5 Index/Directory listing disabled (403 on a folder)

If you open a folder without index.php/index.html and directory listing is disabled, the server may return 403.

• Fix: ensure an index file exists or the route is correct (for WordPress, that’s typically index.php in the root)

1.6 Wrong Document Root / addon domain configuration

If the domain points to an empty or incorrect folder, you may see a 403.

• cPanel → Domains → verify the Document Root
• Confirm the site files exist in that folder

1.7 WordPress hardening rules or wp-admin protection

A 403 can also come from rules that restrict administration access:

• IP allowlist for wp-admin
• Basic Auth on wp-admin
• A security plugin blocking login

2) Professional step-by-step resolution (fastest route)

Step 1: Is the 403 on the entire site or only one area?

• Entire site → usually .htaccess, permissions, Document Root, or WAF
• Only wp-admin → usually a security rule / IP block / wp-admin protection
• Only images/CSS → hotlink protection or incorrect permissions in uploads

Step 2: Check Error Logs in cPanel

This is the most important “quick evidence” step:

• cPanel → Metrics → Errors

If there’s a WAF/ModSecurity block, there is often a trace in the logs.

Step 3: Verify permissions (755/644) and ownership

• public_html and folders → 755
• files → 644

If you see unusual values (777, 600, 700) or incorrect ownership, that’s a strong candidate for the 403.

Step 4: Test .htaccess (the fastest “off/on” diagnostic)

• Rename .htaccess → .htaccess.bak
• Try opening the site again

If the 403 disappears, the issue is in .htaccess rules (rewrite/security/hotlink/deny).

Step 5: Disable the security plugin (WordPress)

If the 403 happens during login/wp-admin or forms, a plugin block is a common cause.

• Via File Manager/FTP: wp-content/plugins → rename to plugins-disabled
• Try again

If it works, restore the plugins folder name and enable plugins one-by-one to identify the culprit.

Step 6: Verify domain/Document Root

• cPanel → Domains → verify Document Root
• Make sure your WordPress/OpenCart files are located in that folder

3) Quick scenarios (symptom → likely cause)

• 403 only on wp-admin → security plugin/WAF/IP allowlist/basic auth/.htaccess rule
• 403 only on /wp-content/uploads → permissions/hotlink/.htaccess inside uploads
• 403 only on one page → .htaccess rule or WAF block for a specific URL/query
• 403 only from one network/IP → IP block, rate limit, geo-block

4) Option: open a ticket for fast diagnosis (logs + WAF/ModSecurity check)

If you want support to confirm whether there’s a WAF/ModSecurity block, an .htaccess conflict, or a permissions issue, open a ticket:

https://gohost.mk/submitticket.php

Ticket text (copy/paste)

• Subject: 403 Forbidden – .htaccess / permissions / WAF check
• Domain/site: example.com
• cPanel username: CPANELUSER
• Where 403 occurs: entire site / only wp-admin / specific URL (paste the exact link)
• Since when: after update / migration / SSL change / no changes
• Troubleshooting performed: .htaccess rename, plugins-disabled, permission check
• Request: Please review error logs and confirm whether WAF/ModSecurity is blocking, and advise the exact correction.

5) Important: what NOT to do when dealing with a 403

• Don’t set 777 permissions “to make it work” — it’s insecure and can trigger even harsher blocks.
• Don’t leave debugging/open access enabled while troubleshooting on a live site.
• Don’t delete .htaccess without a backup — rename it first and keep a copy.