How to fix 403 Forbidden Error in WordPress caused by ModSecurity

403 Forbidden Error in WordPress

✓ What is 403 Forbidden Error

The 403 Forbidden Error is an HTTP status code that is sent back by the server when the client (user) who initiated the request doesn’t have permission to access a specific page or resource.

✓ Causes of 403 Forbidden Error

There are many scenarios that can trigger 403 Forbidden Error in WordPress. The following are the common causes:

• Corrupt .htaccess file
• File permission issues
• Incompatible or faulty plugins

✓ Solution

WPBeginner has written an in-depth article on fixing the 403 Forbidden Error in WordPress that will help you to fix the corrupt .htaccess file, repair folder and file permissions, and finding out the incompatible or faulty plugins. If you’ve tried everything described in that article and you still facing 403 Forbidden Error, then it’s the time now to look into ModSecurity configuration.

Fix 403 Forbidden Error in WordPress caused by ModSecurity Click To Tweet

What is ModSecurity (mod_security)

ModSecurity is an open-source firewall application (or WAF) supported by different web servers such as Apache, Nginx and IIS, and protects web applications such as WordPress from various code injection attacks. It uses regular expressions and rule sets to block commonly known code injections.

WordPress 403 Forbidden Error and ModSecurity (mod_security)

ModSecurity might give you false-positive results when you work with WordPress posts and comments. When you post (save or update) any data to admin-ajax.php, page.php, post.php (and bb-post.php if you’ve BBPress active) pages, ModSecurity sometimes consider it (of course, falsely) as code injection and respond with 403 Forbidden Error. To fix this, you can either add specific rules for WordPress exclusion into ModSecurity config or disable ModSecurity completely.

• Add specific rules for WordPress exclusion under ModSecurity (mod_security)

Follow the steps given below to whitelist WordPress under ModSecurity.

☑ Find whitelist.conf or exclude.conf file under /usr/local/apache/conf/modsec2/ (CentOS in my case, your’s path can be different)

☑ Add the following rules

☑ Add the following rules only if you’ve BBPress installed and active

You’re done!

• Disable ModSecurity (mod_security) completely if the above WordPress exclusions doesn’t work

You can disable ModSecurity completely by accessing your web hosting Control Panel (different for each control panel) if you’ve VPS or Dedicated Server. Alternatively, you can ask your web hosting provider to disable it completely for you.

* Don’t forget restart your web server after making changes in ModSecurity configuration or after disabling it.

That’s it! You shouldn’t see 403 Forbidden Error anymore now.

Customise WordPress Dashboard for Clients

To keep your clients from risky places or to restrict access to specific pages from the clients, you can customise your WordPress dashboard by adding the below code in your theme’s functions.php. This code allows you to hide parts of the WordPress dashboard menu.

You need to uncomment the line ( remove // ) for the page that you want to hide/remove from the WordPress menu.

Be aware that this only hides the menu items from the dashboard and clients can still theoretically access these menus with a direct link (if they know).

Code snippet to customise #WordPress Dashboard for Clients #snippet Click To Tweet

Easy Digital Downloads – Extra note(s) On Checkout

Easy Digital Downloads - Extra note(s) On Checkout


Version:1.1
Requires:3.5 or higher
Compatible up to:5.2.2
Released:04 January 2017
Downloads:682
Last Updated:19 June 2019
Ratings:
0
(0 star out of 5)

Description:

This WordPress plugin is Easy Digital Downloads add-on/extension, adds ‘Extra note(s)’ textarea to the checkout screen for buyers to add notes about their order.

This plugin will…
– Adds ‘Extra note(s)’ textarea to the checkout screen
– Adds {extra_note} email tag to show ‘Extra note(s)’ data in either the standard purchase receipt or admin notifications

This plugin doesn’t have any settings/options. Just Install, Activate, and Boom!

Installation:

  • 1. Upload the ‘edd-extra-notes-on-checkout’ folder to the ‘/wp-content/plugins/‘ directory
  • 2. Activate the plugin through the ‘Plugins’ menu in WordPress.
  • 3. That’s it!

FAQ:

Any specific requirements for this plugin to work?
Easy Digital Downlaods plugin should be installed and activated, for this plugin to work.

Is that it?
Pretty much, yeah

Screenshots:

edd-extra-notes-on-checkout screenshot 1Extra note(s) textarea on checkout screen

edd-extra-notes-on-checkout screenshot 2{extra_note} email tag