WordPress 403 Forbidden errors

The WordPress login page of one of the sites that I maintain was struck by the dreaded “Forbidden” error message earlier today.  I thought it was odd, because I knew I hadn’t changed anything. So after Googling about a bit, I came up with 3 consistent suggestions for what could be the problem.

Folder/file permissions

For WordPress all folders should be set to 755 and all files should be 644.  I’m not going to explain how to do this, loads of other sites already have this covered, but please be careful if you’re not sure what you’re doing as this can be a little dangerous.  For me, this did not solve the problem.


The next suggestion was a dodgy plugin, probably a security one.  Well I do like to use WebARX, which is a great security plugin, and does have login protection options, so seemed like a viable candidate.  However, disabling all the plugins did not resolve the problem (tip: rename the “plugins” and “mu-plugins” folders via FTP to do this quickly and easily).

.htaccess File

The last popular option was a corrupt .htaccess file.  Again, the quickest way to check is to simply rename the file and then try to access the site again, which didn’t make a difference.


So just to be sure, I did all 3 at once!  And no, crossing my fingers whilst I hit refresh didn’t help either.  Worth a try though, right?

Eventually, after quite a bit of research (and reading about these 3 suggestions several times, ad nauseum) I stumbled across a fourth suggestion.

.htaccess File – part 2

Back to the .htaccess file, but this time to add a specific snippet…

<Files wp-login.php>
  Allow from all

This is specifically telling the server to allow access to this file from all IP addresses.  Of course you could tweak this to only allow from specific IP addresses, but as most of us are on the go these days, accessing from a static IP address instead of whichever hotel/airport/cafe wifi we happen to be connected to at the time, is rather unlikely.

It looks like the host may have denied access to this file because it was getting targeted, but this snippet should keep it accessible.  No more “Forbidden” errors.

Adding security.txt

Earlier in the year I wrote about adding humans.txt, a simple text file which can be used to list the humans involved in building the website.  I also use my file to list tools and services that have I have to build and run my website. There is also a reasonably new initiative out there to add…

Git aliases

Taking a slight sidebar from my current blog series entitled Getting going with Heroku and PHP (part 1) (and part 2), I’ve discussed that the commands that I am now using to push updates are as follows… gulp git add . git commit -m “A useful commit message” git push git subtree push –prefix build heroku master This…