KnowledgebaseAccess to this resource on the server is denied (403 Forbidden)

Fix the 403 Forbidden error: access to this resource on the server is denied. Common causes include wrong file permissions, .htaccess rules, WAF/ModSecurity blocks, hotlink protection, and WordPress security plugins.

DocumentationUpdated Jan 28, 2026

Access to this resource on the server is denied (403 Forbidden)

If you are seeing "Access to this resource on the server is denied" or 403 Forbidden, it means the server understood your request but refused to allow it. In most cases the fix is in one of these places: wrong file permissions, a bad .htaccess rule, WAF/ModSecurity blocking your request, or a security setting in WordPress or Cloudflare.

This guide shows the fastest way to diagnose the cause and fix it safely on a typical LiteSpeed + cPanel hosting stack.

Applies to

  • Errors like: 403 Forbidden, Access denied, You don't have permission to access this resource, Access to this resource on the server is denied
  • WordPress and non-WordPress sites
  • Sites behind Cloudflare or direct-to-server

What is the 403 Forbidden error?

HTTP 403 is a response code that tells the browser: the server received the request, but access is blocked by policy. Unlike a 404 (not found), the resource often exists, but your request is not allowed due to permissions or security rules.

Why it matters (SEO, uptime, and security)

  • Users: visitors cannot load your site, admin pages, images, or downloads.
  • SEO: Google may drop pages from the index if key URLs return 403 (especially if it persists).
  • Security: sometimes 403 is a good sign, it can mean your WAF blocked a malicious request.

How a 403 happens (simple technical flow)

  1. Request arrives: browser or bot requests /, /wp-admin/, a file, or an API route.
  2. Edge rules run (optional): Cloudflare firewall rules, country blocks, rate limits, hotlink rules.
  3. Web server rules run: LiteSpeed/Apache evaluates .htaccess, directory rules, and IP restrictions.
  4. File system checks: permission bits, ownership, and allowed access to directories and files.
  5. App-level checks: WordPress security plugins, login restrictions, or application middleware can block access.

Fastest fix flow (do these in order)

Start with the quickest checks first. A 403 can look complex, but it is usually one small setting.

Step 1: confirm it is not a local or cache issue

  • Test in a private window and in a second browser.
  • Test from another network (mobile data or VPN). If it works elsewhere, it can be an IP block or ISP/CDN issue.
  • Check if only one URL is affected (example: only /wp-admin/ returns 403).

Step 2: check Cloudflare and CDN firewall settings (if you use it)

If the site uses Cloudflare, a 403 can be returned by Cloudflare (before your server is even reached).

  • Firewall rules: look for blocks by country, IP, User-Agent, or URI patterns.
  • WAF managed rules: false positives can block admin requests, REST API calls, or query strings.
  • Rate limiting: too many requests to /wp-login.php can trigger blocks.

Tip: temporarily set Cloudflare to Development Mode and disable extra security features for 5-10 minutes to see if the 403 disappears. If yes, the fix is in Cloudflare rules, not cPanel.

Step 3: check for a broken or restrictive .htaccess rule

A single line in .htaccess can block the whole site. This is the most common reason for “access denied” after a plugin install, a migration, or enabling hotlink protection.

  1. Log in to cPanel. If you need help, use this guide: How to access cPanel.
  2. Open File Manager and go to public_html (or the addon domain document root).
  3. Find .htaccess and rename it to .htaccess.disabled.
  4. Test the site again.

If the 403 is fixed after renaming, restore .htaccess and look for rules like:

  • Deny from all or Require all denied
  • IP restrictions on admin paths
  • Misconfigured rewrite rules after changing domains
  • Hotlink protection rules that block images/CSS/JS

For WordPress, you can regenerate clean rewrite rules by going to Settings > Permalinks and clicking Save (after the site loads again).

Step 4: fix file and folder permissions (most common on uploads and admin)

Wrong permissions can block access even when the file exists. On most shared hosting setups:

  • Folders: 755
  • Files: 644
  • .htaccess: 644

Avoid 777. It is insecure and can trigger WAF rules on modern hosting stacks.

How to fix permissions in cPanel

  1. Open File Manager.
  2. Right-click the affected folder or file and click Change Permissions.
  3. Set folders to 755 and files to 644.

Also check file ownership (advanced)

Permissions can look “correct” but a 403 still happens if ownership is wrong (common after migrations or manual uploads). If your files are owned by the wrong user, PHP and the web server can refuse access.

If you suspect ownership issues, do not try risky bulk changes. Open a ticket and ask us to check file ownership for your document root.

Step 5: check for missing index files or directory listing blocks

If you browse a directory like / or /files/ and there is no index.php or index.html, the server may return 403 because directory listing is disabled (common for security).

  • Fix: add the correct index file, or ensure your CMS routing is correct.
  • Do not “enable indexes” unless you understand the risk: open directories can leak backups, uploads, and private files.

Step 6: ModSecurity / WAF blocks (false positives)

On secure hosting, ModSecurity (or similar WAF rules) can block requests that look suspicious, even if they are legitimate. This can happen when:

  • Forms submit payloads that resemble SQL injection or XSS.
  • A plugin/theme uses unusual query strings.
  • You are using nulled plugins/themes that trigger signatures (also a real security risk).

If the 403 only happens on specific actions (login, form submit, search), check cPanel Metrics > Errors. If you see ModSecurity rule IDs, share them with support so we can whitelist safely.

Step 7: WordPress-specific causes (plugins, security hardening, and cache)

  • Security plugins: Wordfence, iThemes, All In One WP Security can block your IP or lock you out of /wp-admin/.
  • Login URL changes: plugins that change the login path can show 403 on the old URL.
  • Cache: purge LiteSpeed Cache (LSCache) and any CDN cache if you recently changed rules.

If you cannot access wp-admin, temporarily rename the plugin folder in wp-content/plugins (example: wordfence to wordfence.off) and test again.

Step 8: hotlink protection blocks images, CSS, or JS

Hotlink protection is meant to stop other websites from embedding your images. But if it is configured incorrectly, it can block your own assets and cause pages to look broken.

  • Symptom: HTML loads but images or CSS return 403 in the browser dev tools.
  • Fix: review hotlink protection settings and make sure your own domain(s) are whitelisted (including www and non-www variants).

Step 9: IP blocks and server-side restrictions

Sometimes access is denied by an IP rule rather than a file rule. This can happen after too many login attempts, a security plugin block, or a manual deny rule.

  • Check: cPanel IP Blocker (if available) and any Deny/Require rules in .htaccess.
  • Check: WordPress security plugin logs for blocked IPs.
  • Note: if the site works from mobile data but not from your office/home network, an IP-based block is very likely.

403 vs 401 vs 404 vs 500 (quick comparison)

CodeMeaningMost common cause
401UnauthenticatedYou need login credentials (basic auth, API auth).
403ForbiddenPermissions, .htaccess deny rules, WAF blocks, hotlink protection.
404Not foundWrong URL, missing file, broken rewrite rules.
500Server errorPHP fatal error, misconfigured .htaccess, app crash.

Common myths (and the real fix)

  • Myth: “403 means the server is down”
    Reality: the server is responding, it is refusing access due to rules or permissions.
  • Myth: “Set everything to 777 and it will work”
    Reality: it can create security issues and can trigger WAF blocks. Use 755/644 instead.
  • Myth: “It is always Cloudflare”
    Reality: Cloudflare can cause 403, but so can .htaccess, file ownership, WordPress plugins, and ModSecurity.

Why Middlehost is different

403 errors are often the side effect of better security. Our stack is built to protect accounts by default (LiteSpeed server rules, WAF protections, safe defaults like disabled directory listing). We also strongly discourage cracked licenses and nulled plugins/themes, because they frequently cause infections, spam, and repeated security blocks.

If you are hosting WordPress, use a plan built for it: WordPress hosting. For general sites and landing pages, choose a stable plan with enough CPU/RAM and inode headroom: web hosting or cloud hosting.

If this started after a migration or DNS change

After moving a site, a 403 is often caused by the wrong document root, an old .htaccess rule copied from another server, or DNS still pointing to the previous host.

  • Confirm DNS: make sure the domain points to the correct server IP and the right nameservers.
  • Confirm document root: addon domains must point to the folder where your index.php/index.html actually exists.
  • Re-check permissions and ownership after restoring backups.

When to contact support

If you tried the steps above and the 403 is still happening, open a ticket and include:

  • Your domain and the exact URL returning 403
  • Whether you use Cloudflare (and if the error page shows Cloudflare)
  • Screenshot of the error
  • The time it happened (with timezone)
  • Any ModSecurity or server error log entries from cPanel Metrics > Errors

FAQs

What does “access to this resource on the server is denied” mean?

It means the server received your request, but a rule blocked it. The resource might exist, but access is denied due to file permissions, a restrictive .htaccess rule, a firewall/WAF decision, hotlink protection, or an application-level security check. Fixing the rule or permission usually resolves it.

How do I fix 403 Forbidden in cPanel?

Start in cPanel File Manager. Check permissions (folders 755, files 644), confirm the correct document root, and test by temporarily renaming .htaccess. If it is WordPress, disable the blocking plugin folder briefly. Also review cPanel Metrics > Errors for WAF or rule hits.

Why do images or CSS return 403 but the page HTML loads?

That pattern usually points to hotlink protection or a firewall rule that blocks requests with certain referrers or file extensions. Check whether the site is accessed via both www and non-www, and ensure both are allowed in hotlink settings. Also confirm the assets have correct permissions and are not blocked by a CDN rule.

Is a 403 error caused by SSL?

Usually no. SSL issues more commonly show certificate warnings, mixed content issues, or TLS handshake failures, not 403. However, SSL-related redirects and security rules can contribute indirectly if a WAF blocks a redirect pattern or a plugin hardening rule blocks an endpoint. If you recently changed SSL settings, purge cache and re-check rules.

Can Cloudflare cause “access denied” 403 errors?

Yes. Cloudflare can return 403 when firewall rules, managed WAF rules, bot protection, or rate limiting blocks the request at the edge. If disabling Cloudflare security features temporarily makes the site work, the fix is in Cloudflare configuration. If Cloudflare is bypassed and 403 persists, the fix is on the origin server.

Next ArticleBlacklisted URLs: what it means, how to check, and how to fix it

Supercharge Your Website with Blazing-Fast Hosting

Join thousands of businesses and creators who trust us to deliver unmatched speed, reliability, and support. Let’s chat and find the perfect plan for you!

Chat with Us
99.9% Uptime
24/7 Support
Anytime Money-Back Guarantee