Follow @BPSPro

BulletProof Security 403 Forbidden Errors – Troubleshooting BPS 403 Forbidden Errors

2 Comments RSS Site Feed Author: AITpro Admin
Published: November 25, 2011
Updated: May 26, 2017

Forbidden
You don’t have permission to access /wp-admin/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

OR

Forbidden
You don’t have permission to access /wp-admin/ on this server.”
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

Most likely this means that the .htaccess file has an invalid entry in it.  I have now come across a couple of web hosts that this is happening on.  This is not happening on all web hosts just some of them.

This BPS QUERY STRING FILTER in the root .htaccess file is being written to the root .htaccess file incorrectly >>> this is the way the filter should look >>>
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR].

What is happening is that the double slashes are being written (during fwrite) as single slashes and this is not valid, which invalidates the entire root .htaccess file >>>
RewriteCond %{THE_REQUEST} (\r|\n|%0A|%0D) [NC,OR]

This filter will be permanently changed to RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR] in future versions of BPS.  Until then when you use AutoMagic to create your Master .htaccess files go to the BPS built-in .htaccess File Editor, click on the secure.htaccess tab and edit this filter as shown above removing \r and \n from the filter before activating BulletProof Mode for your Root folder.  This filter is a redundant filter, but it does block one rare CRLF Injection hacking method so it is important.

The HTTP_COOKIE filter will no longer be included in BPS.  If you are using a plugin that deals with PHP SESSION and a conflict exists with this filter >>> RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]  Comment this filter out or delete it.  This appears to be problematic for at least one plugin:  event espresso.  Also if you are using event espresso you may also need to delete the wp-admin .htaccess file or comment out all the security filters in the wp-admin .htaccess file.  The Root .htaccess file in all new versions of BPS and BPS Pro now protects the /wp-admin folder so the /wp-admin .htaccess file is not really necessary any more.  You might also need to add an .htaccess Skip rule for this plugin in your root .htaccess file.  Pending a full description of all required things for event espresso, but these are all the possible additional things that may need to be done for event espresso.

Another possible cause could be an invalid PHP handler in your root .htaccess file. something like this .htaccess php handler code below.  If you see PHP handlers in your root .htaccess file then check to make sure that they are correct handlers for your particular web host.

AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php5.cgi

Or your web host may require that you add a PHP handler in your .htaccess file and you have not added it yet- check with your Web Host to see if they require this. This is a general example of a php handler below. All web hosts have their own specific handlers – DO NOT just use this example php handler – check with your Web Host.

# ADD A PHP HANDLER - Add your hosts php Handler below if you are using a php handler
# Example GoDaddy PHP 5.2.x php handler is shown commented out below
#AddHandler x-httpd-php5 .php

You have set directory password protection on your wp-admin folder. The .htaccess code that your web host automatically wrote to your .htaccess file in your wp-admin folder has been overwritten when you activated BulletProof Mode for your wp-admin folder. Within the wp-admin .htaccess file you will see code examples – one of them is adding directory protection for your wp-admin folder – uncomment that .htaccess code. CAUTION!!! ONLY uncomment this code if you have set up directory protection for your wp-admin folder in your web host control panel first.

Folder permissions are not set to 755 for your WordPress folders. In BPS File and Folder permissions checking there are recommendations to set your folder and file permissions to more strict permissions – CAUTION!!! If your particular host does not allow this then these recommendations will not work for your site and could cause 403 Forbidden Errors or worse. Check with your Web Host first to see if they allow more restrictive File and Folder Permissions.

You have invalid .htaccess code in your root .htaccess file or there is a typo somewhere or the root .htaccess file is corrupted – create a new Master .htaccess file using the AutoMagic buttons and Activate BulletProof Modes again.

Another situation that is not related to BPS where you will see a 403 Forbidden error when trying to view a page on your website is if your website has already been hacked and the hackers have added an .htaccess file or have added other coding in their Shell script that forbids anyone from viewing the Shell script except for the hackers.  If you see an unusual 403 Forbidden error on your website then you should scan you website for malware.  The Sucuri website has a free malware scanner that you can scan your website with here >>> http://sitecheck.sucuri.net/scanner/


Tags: ,

Categories: Wordpress Tips - Tricks - Fixes

2 Comments to “BulletProof Security 403 Forbidden Errors – Troubleshooting BPS 403 Forbidden Errors”


  1. This was precisely the answers I’d been searching for. Amazing blog. Incredibly inspirational! Your posts are so helpful and detailed. The links you feature are also very useful too. Thanks a lot 🙂

  2. Spot on with this write-up, I really think this website wants far more consideration. I’ll probably be again to learn way more, thanks for that info.


Skip to toolbar