How to fix 403 Forbidden Error in WordPress caused by ModSecurity

How to fix 403 Forbidden Error in WordPress caused by ModSecurity

What is 403 Forbidden Error?

The 403 Forbidden Error is an HTTP status code that is sent back by the server when the client (user) who initiated the request doesn't have permission to access a specific page or resource.

Common causes of 403 Forbidden Error

There are many scenarios that can trigger 403 Forbidden Error in WordPress. The following are the common causes:

• Corrupt .htaccess file
• File permission issues
• Incompatible or faulty plugins

Solution

WPBeginner has written an in-depth article on fixing the 403 Forbidden Error in WordPress that will help you to fix the corrupt .htaccess file, repair folder, and file permissions, and finding out the incompatible or faulty plugins. If you've tried everything described in that article and you still facing 403 Forbidden Error, then it's time now to look into ModSecurity configuration.

What is ModSecurity (mod_security)

ModSecurity is an open-source firewall application (or WAF) supported by different web servers such as Apache, Nginx, and IIS, and protects web applications such as WordPress from various code injection attacks. It uses regular expressions and rule sets to block commonly known code injections.

WordPress 403 Forbidden Error and ModSecurity (mod_security)

ModSecurity might give you false-positive results when you work with WordPress posts and comments. When you post (save or update) any data to admin-ajax.php, page.php, post.php (and bb-post.php if you've BBPress active) pages, ModSecurity sometimes considers it (of course, falsely) as code injection and responds with 403 Forbidden Error. To fix this, you can either add specific rules for WordPress exclusion into ModSecurity config or disable ModSecurity completely.

• Add specific rules for WordPress exclusion under ModSecurity (mod_security)

Follow the steps given below to whitelist WordPress under ModSecurity.

☑ Find whitelist.conf or exclude.conf file under /usr/local/apache/conf/modsec2/ (CentOS in my case, your's path can be different)

☑ Add the following rules

<locationmatch "/wp-admin/admin-ajax.php">
    SecRuleRemoveById 300013
    SecRuleRemoveById 300015
    SecRuleRemoveById 300016
    SecRuleRemoveById 300017
    SecRuleRemoveById 949110
    SecRuleRemoveById 980130
</locationmatch>

<locationmatch "/wp-admin/page.php">
    SecRuleRemoveById 300013
    SecRuleRemoveById 300015
    SecRuleRemoveById 300016
    SecRuleRemoveById 300017
    SecRuleRemoveById 949110
    SecRuleRemoveById 980130
</locationmatch>

<locationmatch "/wp-admin/post.php">
    SecRuleRemoveById 300013
    SecRuleRemoveById 300015
    SecRuleRemoveById 300016
    SecRuleRemoveById 300017
    SecRuleRemoveById 949110
    SecRuleRemoveById 980130
</locationmatch>

☑ Add the following rules only if you've BBPress installed and active

<locationmatch "/bb-post.php">
    SecRuleRemoveById 300013
    SecRuleRemoveById 300015
    SecRuleRemoveById 300016
    SecRuleRemoveById 300017
</locationmatch>

You're done!

• Disable ModSecurity (mod_security) completely if the above WordPress exclusions don't work

You can disable ModSecurity completely by accessing your web hosting Control Panel (different for each control panel) if you've VPS or Dedicated Server. Alternatively, you can ask your web hosting provider to disable it completely for you.

* Don't forget to restart your web server after making changes in ModSecurity configuration or after disabling it.

That's it! You shouldn't see 403 Forbidden Error anymore now.

3 thoughts on “How to fix 403 Forbidden Error in WordPress caused by ModSecurity”

  1. Hi,
    I was stuck on 403 forbidden error at my website. I was searching for a possible solution and I came across your article. I found this one to the best article and found the solution to my problem.
    Definitely, a very good article to fix this error. Thanks for sharing such detailed information.
    Keep it up.

  2. Dipak,

    Thank you for this post. It was a lot of help! I am coming back to it again as I had this issue again. I have even linked to it on a forum for others to find. However it looks like the gists are not showing up now. Can you fix this please? Much appreciated.

Comments are closed.