What is the difference between a 403 and a 401 error?

A 401 Unauthorized is the server saying it does not yet know who you are and would like valid credentials. A 403 Forbidden is the server saying this request is not allowed, full stop, no matter what credentials you hold; you might already be logged in and still be turned away from that resource. Put simply: 401 is a question of identity, 403 is a question of permission.

Why do I get a 403 Forbidden error on WordPress wp-admin?

On wp-admin it is usually a security plugin or firewall that blocked your IP, a corrupted .htaccess, or wrong file permissions. Disable plugins by renaming the plugins folder over SFTP, regenerate .htaccess from Settings then Permalinks, and confirm files sit at 644 and folders at 755. If your IP got blocked, add it to the allowlist in the security plugin or firewall.

Why did a page suddenly start returning a 403?

A 403 that appears out of nowhere almost always follows a recent change: a plugin or theme update, an edit to .htaccess, a new firewall or WAF rule, a CDN tweak, or permissions reset during a migration or backup restore. Retrace whatever you touched most recently. If genuinely nothing on your side moved, your host may have tightened a server-level rule, so ask them.

Is a 403 error my fault or the website's fault?

Could be either. As a visitor you rarely caused it, though a VPN, a stale cookie, or a cached page on your end can set it off, which is why clearing cookies and dropping the VPN are worth a shot. Far more often a 403 is a configuration choice, or mistake, on the website's side, and only the owner can lift it by changing permissions, rules, or firewall settings.

Can a VPN cause a 403 Forbidden error?

It can. Lots of websites block known VPN, proxy, and datacenter IP ranges, or gate access by country, so a request routed through a VPN can land on one of those blocked ranges and earn a 403. Disconnect the VPN, or hop to a different server location, and it often clears straight away. If the page loads fine without the VPN, the block was tied to the VPN's IP.

Does a 403 error hurt SEO?

It can, when it lands on pages you want indexed. Serve Googlebot a 403, often because a WAF or firewall blocks its IP or user agent, and it cannot crawl the page, so the page never gets indexed and can fall out of search results if the block sticks. Anything meant to be public has to return 200, so allowlist legitimate crawlers and keep your access rules clear of your indexable URLs.

Why does a server send a 403 instead of a 404?

A 403 says the resource is off-limits; a 404 says it does not exist. Some servers return 404 in place of 403 on purpose, refusing to confirm that a protected resource is even there, a security choice the HTTP spec calls out. So a 403 usually means the thing exists and you cannot have it, while a 404 means the server is admitting to nothing at that address.

What is the difference between a 403 on Apache and on nginx?

Same status code, different default page and different rule behind it. Apache tends to print You don't have permission to access this resource, and the trigger is usually file permissions, a deny or Require directive in .htaccess, or a directory with no index and autoindex off. Nginx just says 403 Forbidden with no decoration; look for a deny inside a location block, a missing index directive, or files the worker process simply cannot read. Open whichever server's config you actually run and start there.

Why do I get a 403 only when submitting a form or POST request?

If the page loads fine but submitting it gets a 403, the block is happening on the write, not on a file. Three things cause this almost every time: a CSRF token that is missing or expired, a WAF or ModSecurity rule reading your form body as an attack, or a firewall that distrusts POST traffic from your IP. Open the network panel, find the failing POST, then grep your WAF and security-plugin logs for a block on that request.

Can Cloudflare or another CDN return a 403 before my server is even reached?

It can, and often does. The CDN or WAF sits in front of your origin, so it can answer 403 at the edge on its own, say Cloudflare firewall or managed rules turning away an IP, a country, or a request pattern. You usually spot it because the page carries a ray ID or request ID and looks nothing like your real design. Hit the origin IP directly to prove the origin is clean, then either allowlist the legitimate source or fix the offending rule in the CDN dashboard.

Why does opening a folder URL give a 403 when the files inside load fine?

Directory listing is switched off. Request a folder with no index file on a server told not to list contents (Apache Options -Indexes, or nginx without autoindex on) and there is nothing to hand back, so it returns 403 instead of dumping the file list. Drop an index.html or index.php into that directory, or aim the request at a real file, and the 403 goes away.

Does a monitoring tool count a 403 as the website being down?

Depends entirely on the check. A bare reachability ping sees a fast, valid HTTP response and calls the host up, hiding the fact that visitors are locked out. A check that asserts the expected status code, or matches expected content, treats that 403 as a failure. Pulsetic watches from outside the server, so all it can read is the status code and body you return, not the reason the server chose to forbid the request. Point it at the URLs that matter and have it verify the response.

403 Forbidden

You asked for a page and the server answered, but instead of the content it slammed the door: access to this resource is forbidden. The connection worked, the URL resolved, the server is alive. It simply decided you are not allowed in, and reloading the same request will get you the same refusal.

Updated June 2026 · 7 min read

Written by

Andrian Valeanu Founder of Pulsetic

Andrian Valeanu founded Pulsetic and, before it, Designmodo. Across 15-plus years he has shipped web products, design tools, and monitoring software teams around the world rely on.
Reviewed by

Ionut Caval Technical reviewer

Ionut Caval reviews Pulsetic's technical guides for accuracy. He works hands-on with web servers, networking, and uptime monitoring day to day, and makes sure the causes and fixes here hold up in production.

The short version: Visiting the page? Double-check the URL, clear your cache and cookies, switch off any VPN, and try once more. Running the website? It is almost always one of four things: file permissions set wrong, a bad .htaccess rule, a missing index file, or a firewall or security plugin turning the request away.

Key takeaways

403 Forbidden means the server understood you perfectly and chose to refuse. DNS resolved, the connection opened, TLS finished: this is a permission decision, not an outage.
A 401 invites you to authenticate. A 403 does not. Per RFC 9110 the server has already decided this request is not allowed, logged in or not, and that is the whole point of the 401-vs-403 split.
On the owner side, three things cause most 403s: file or folder permissions set wrong (644 for files, 755 for folders), no directory index, or a deny rule sitting in .htaccess or an nginx location block.
Plenty of 403s come from the edge instead. A WAF, firewall, CDN, or security plugin can turn away an IP, a country, a user agent, or a bot, and that net sometimes catches legitimate crawlers like Googlebot or your own monitoring.
From the outside a 403 reads like a healthy server answering fast, so a simple up-or-down ping marks the website up while real visitors hit a wall on the blocked path.

Error type: HTTP 4xx client error
Whose side: Either: your access or the website config
Fix difficulty: Easy to moderate
Common cause: Access to the resource is denied

What does 403 Forbidden mean?

A 403 Forbidden lives in the 4xx family, the side of the spec that blames the request rather than a crashed server. The server got your request, parsed it, and the resource may well be sitting right there. It is choosing not to authorize you. RFC 9110 is blunt about this: retrying with fresh or different credentials is unlikely to change anything, and that is precisely the line between a 403 and a 401. A 401 means the server has not figured out who you are yet and wants you to authenticate. A 403 means it has decided, and the answer is no, whether you are signed in or not.

Sometimes the refusal is on purpose, sometimes it is an accident. By design, the server might be enforcing a permission rule, an IP allowlist, hotlink protection, or a firewall policy. By accident, it is just as likely to be a misconfiguration: permissions clamped down too hard, a directory with no index file, or a stray deny rule lurking in .htaccess. A few servers even prefer 403 to 404, openly admitting the resource exists but is off-limits rather than pretending it is not there. Either way, the cure is in the server config, not in hammering the browser harder.

The path a request takes from your browser to the website's servers. A 403 Forbidden is produced at the highlighted stages.

403: HTTP status code
4xx: Client-side error class
644 / 755: Correct file / folder permissions

How the 403 Forbidden error appears

The wording changes depending on your browser, device, or server. Here is how this error commonly shows up:

403

Forbidden

You don't have permission to access this resource.

What a 403 Forbidden looks like in the browser. The exact wording varies by browser, device, and server.

403 Forbidden
HTTP Error 403 - Forbidden
Forbidden: You don't have permission to access this resource
Access Denied
403 Forbidden nginx
Error 403

403 vs 401, 404 and 400

All four sit in the 4xx client-error family, but they answer different questions about why the request failed.

Code	What it means	Who fixes it
400 Bad Request	The server could not parse the request itself: malformed syntax, a bad header, or an oversized cookie. It never got as far as checking permission.	Usually the client or app sending the request; sometimes a proxy or browser cache.
401 Unauthorized	You have not proven who you are. The resource exists but is gated behind authentication, and valid credentials would let you in.	The visitor, by logging in correctly, or whoever holds the API token or auth config.
403 Forbidden	The server knows the request and may know who you are, but it refuses to authorize access to that resource. Re-sending credentials will not help.	The website owner or admin, by fixing permissions, rules, or the firewall (or the visitor, if it is a block).
404 Not Found	The server has no resource at that URL, or is hiding one it does not want to admit exists.	The website owner, by restoring the resource or fixing the link; or the visitor, by correcting the address.

Where a 403 comes from and how to confirm it

A 403 can originate at several layers, and each leaves a different fingerprint, so locating the layer is the fastest way to the fix.

Origin of the block	Telltale sign	Where to look	Typical fix
File or folder permissions	Whole website or a directory 403s right after a migration or backup restore	SFTP or host file manager	Reset files to `644`, folders to `755`
Missing directory index	Requesting a folder 403s but a file inside it loads, with autoindex off	The requested directory	Add `index.html` or `index.php`, or enable an index directive
`.htaccess` or nginx rule	One path or pattern 403s while the rest of the website is fine	`.htaccess` `deny` / `Require`, or the nginx `location` block	Comment out or correct the offending rule, then reload
Firewall, WAF, or CDN	403 hits only certain IPs, countries, user agents, or bots; edge logs show a block event	WAF, firewall, or CDN event log	Allowlist the legitimate IP, agent, or crawler
Security or caching plugin	WordPress `wp-admin` or login locks out after a plugin update	Plugin firewall and activity logs	Disable the plugin or allowlist your IP, then re-enable

What causes 403 Forbidden?

File or folder permissions set wrong, far and away the most common cause. Files want 644, folders want 755; anything tighter and the server will not serve them.
No index file in the directory you asked for (index.html or index.php). With directory listing off, the server has nothing to show and answers 403.
An .htaccess file gone bad: a deny rule, a broken rewrite, or a Require directive that walls off the path.
A WAF, firewall, or plain IP block rejecting your address, user agent, or country. These rules sometimes sweep up legitimate bots like Googlebot too.
Hotlink protection refusing image or file requests because the referrer is not on the allowed list of domains.
A security or caching plugin, the usual story on WordPress, that has flagged the request or sealed off wp-admin.
An empty document root, or a CDN, reverse proxy, or origin-shield pointed at the wrong path or running its own access rules.

How to find the cause fast

Pin down the scope before anything else. Is it every page, or one URL or directory? A site-wide 403 points at permissions, an empty document root, or a server-level rule. A single path points at a local rule, a missing file, or a plugin.
Open SFTP or your host's file manager and check permissions. Files should read 644, folders 755, and an index file should actually be present in the directory you are requesting.
Open .htaccess on Apache, or the relevant location block on nginx, and scan for deny, Require, or autoindex rules. Rename or comment them out for a moment and watch whether the 403 clears.
Then look at whatever guards the app: a WAF, firewall, CDN, or security plugin. Dig through its logs for a block on your IP, your user agent, or the affected URL, and make sure it is not quietly blocking your own monitoring or crawl traffic.

curl -sI https://example.com/adminHTTP/1.1 403 ForbiddenServer: Apache# file permissions, an IP rule, or a WAF blocked it

What a 403 Forbidden looks like from the command line. The grey lines starting with # are explanatory comments.

How 403 Forbidden looks from the outside

To anything checking from the outside, a 403 looks like a server in perfect health. The connection opens, TLS finishes, a real HTTP response comes back fast, just carrying the wrong status code. That is what makes 403 so sneaky: a plain up-or-down ping happily calls the website up while real visitors get turned away. The only way to catch it is to read the actual status code on the URL that matters, not just whether the host answers at all. A firewall or WAF rule that starts blocking a whole path, or even your own monitoring agent's IP, can flip a page to 403 with nothing else looking out of place.

To confirm the exact code a URL returns, or to re-test several at once after a fix, run them through the free bulk URL status checker.

How to fix 403 Forbidden

If you are a visitor

Read the URL again for typos. Make sure you are asking for a page, not a directory the website will not let you browse.
Refresh once. A brief, one-off 403 sometimes just clears itself.
Clear your browser cache and cookies, or open the page in a private window, in case a stale or bad cookie is what is triggering the block.
Drop any VPN or proxy and try again. Some websites forbid whole VPN IP ranges or specific countries.
Switch off browser extensions or security software that could be getting in the way, then reload.
Still stuck? Then the block is on the website's end. Wait and retry later, or tell the website owner the page is coming back forbidden.

If you run the website

Set permissions straight: 644 for files, 755 for folders, and 440 or 400 for wp-config.php, applied recursively over SFTP or your host's tools.
Confirm the requested directory has a real index file (index.html or index.php), or that the server is set to serve one.
Reset a broken .htaccess. Back it up, delete it, and let the app write a clean one (in WordPress, open Settings then Permalinks and hit Save Changes).
Comb through your firewall, WAF, and any IP allow or deny lists for rules catching legitimate visitors, bots, or your own monitoring agents, then adjust or allowlist them.
Turn off security and caching plugins one by one (on WordPress, rename the plugins folder, then reactivate each in turn) until the plugin forcing the 403 shows itself.
Open your hotlink protection settings and make sure every domain that should be loading your assets is on the allowed-referrer list.
Bypass or reconfigure your CDN or reverse proxy for a moment to see whether the 403 is coming from the edge rather than your origin.
Run a malware scan, since an infected website can inject rules that block access, and loop in your host if the cause turns out to be a server-level config.

Still not fixed? Next steps

Reproduce it from somewhere that is not your own network: curl -sI from a server or a different connection. If the 403 trails your IP wherever you go, an allowlist, firewall, or country rule is blocking you, not a broken file.
Now bisect the stack from the top. Bypass the CDN by hitting the origin IP, then turn off the WAF or security plugin, then rename .htaccess. Check after each step, and the layer that stops returning 403 is your culprit.
Read the access and error logs for the request that actually 403d. Apache writes the matched rule or the permission that failed; nginx writes the directory-index or rule failure. More often than not the log names the cause outright.
Origin clean but the edge still turning away real traffic or crawlers? Take it to your host or CDN support with the request ID or ray ID printed on the 403 page so they can trace which rule fired.

Code & configuration

Copy-paste starting points. Replace example.com and the paths with your own, and test changes on staging before production.

Reset file and folder permissions over SFTP

# folders to 755, files to 644 (run from the website root)
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

Regenerate a clean Apache .htaccess

# back up the old file, then let the app rebuild it
mv .htaccess .htaccess.bak
# in WordPress: Settings > Permalinks > Save Changes writes a fresh one

Define a directory index (nginx) so the folder is not refused

# inside the relevant location / server block
index index.html index.php;
# a missing index file with autoindex off returns 403 Forbidden

How to prevent 403 Forbidden

A 403 tends to show up after a permissions change, a fresh security rule, or a bad deploy, and on a key page it locks out every visitor without a sound. Pulsetic checks your website and the URLs you care about from multiple locations every 30 seconds, runs keyword checks to confirm the right content actually loaded, and pings you over email, SMS, Slack, and more the instant a page starts returning 403 instead of what it should. It watches availability from the outside, never touching your server's internals.

Learn how Pulsetic's uptime monitoring detects this from the outside, across 15+ locations.

Related errors

Browse all error guides

Frequently asked questions

What is the difference between a 403 and a 401 error?

A 401 Unauthorized is the server saying it does not yet know who you are and would like valid credentials. A 403 Forbidden is the server saying this request is not allowed, full stop, no matter what credentials you hold; you might already be logged in and still be turned away from that resource. Put simply: 401 is a question of identity, 403 is a question of permission.
Why do I get a 403 Forbidden error on WordPress wp-admin?

On wp-admin it is usually a security plugin or firewall that blocked your IP, a corrupted .htaccess, or wrong file permissions. Disable plugins by renaming the plugins folder over SFTP, regenerate .htaccess from Settings then Permalinks, and confirm files sit at 644 and folders at 755. If your IP got blocked, add it to the allowlist in the security plugin or firewall.
Why did a page suddenly start returning a 403?

A 403 that appears out of nowhere almost always follows a recent change: a plugin or theme update, an edit to .htaccess, a new firewall or WAF rule, a CDN tweak, or permissions reset during a migration or backup restore. Retrace whatever you touched most recently. If genuinely nothing on your side moved, your host may have tightened a server-level rule, so ask them.
Is a 403 error my fault or the website's fault?

Could be either. As a visitor you rarely caused it, though a VPN, a stale cookie, or a cached page on your end can set it off, which is why clearing cookies and dropping the VPN are worth a shot. Far more often a 403 is a configuration choice, or mistake, on the website's side, and only the owner can lift it by changing permissions, rules, or firewall settings.
Can a VPN cause a 403 Forbidden error?

It can. Lots of websites block known VPN, proxy, and datacenter IP ranges, or gate access by country, so a request routed through a VPN can land on one of those blocked ranges and earn a 403. Disconnect the VPN, or hop to a different server location, and it often clears straight away. If the page loads fine without the VPN, the block was tied to the VPN's IP.
Does a 403 error hurt SEO?

It can, when it lands on pages you want indexed. Serve Googlebot a 403, often because a WAF or firewall blocks its IP or user agent, and it cannot crawl the page, so the page never gets indexed and can fall out of search results if the block sticks. Anything meant to be public has to return 200, so allowlist legitimate crawlers and keep your access rules clear of your indexable URLs.
Why does a server send a 403 instead of a 404?

A 403 says the resource is off-limits; a 404 says it does not exist. Some servers return 404 in place of 403 on purpose, refusing to confirm that a protected resource is even there, a security choice the HTTP spec calls out. So a 403 usually means the thing exists and you cannot have it, while a 404 means the server is admitting to nothing at that address.
What is the difference between a 403 on Apache and on nginx?

Same status code, different default page and different rule behind it. Apache tends to print You don't have permission to access this resource, and the trigger is usually file permissions, a deny or Require directive in .htaccess, or a directory with no index and autoindex off. Nginx just says 403 Forbidden with no decoration; look for a deny inside a location block, a missing index directive, or files the worker process simply cannot read. Open whichever server's config you actually run and start there.
Why do I get a 403 only when submitting a form or POST request?

If the page loads fine but submitting it gets a 403, the block is happening on the write, not on a file. Three things cause this almost every time: a CSRF token that is missing or expired, a WAF or ModSecurity rule reading your form body as an attack, or a firewall that distrusts POST traffic from your IP. Open the network panel, find the failing POST, then grep your WAF and security-plugin logs for a block on that request.
Can Cloudflare or another CDN return a 403 before my server is even reached?

It can, and often does. The CDN or WAF sits in front of your origin, so it can answer 403 at the edge on its own, say Cloudflare firewall or managed rules turning away an IP, a country, or a request pattern. You usually spot it because the page carries a ray ID or request ID and looks nothing like your real design. Hit the origin IP directly to prove the origin is clean, then either allowlist the legitimate source or fix the offending rule in the CDN dashboard.
Why does opening a folder URL give a 403 when the files inside load fine?

Directory listing is switched off. Request a folder with no index file on a server told not to list contents (Apache Options -Indexes, or nginx without autoindex on) and there is nothing to hand back, so it returns 403 instead of dumping the file list. Drop an index.html or index.php into that directory, or aim the request at a real file, and the 403 goes away.
Does a monitoring tool count a 403 as the website being down?

Depends entirely on the check. A bare reachability ping sees a fast, valid HTTP response and calls the host up, hiding the fact that visitors are locked out. A check that asserts the expected status code, or matches expected content, treats that 403 as a failure. Pulsetic watches from outside the server, so all it can read is the status code and body you return, not the reason the server chose to forbid the request. Point it at the URLs that matter and have it verify the response.

Catch the next outage before your visitors do.

2-minute setup · Cancel any time
Create Free Account

Your Dashboard

No credit card needed