Fix 403 Forbidden Error in cPanel¶

Access denied troubleshooting

A 403 Forbidden means the server understood your request but refuses to serve the content. On cPanel, it’s usually caused by permissions or access rules.

This guide walks you through the fastest safe fixes.

Step 1: Identify where the 403 happens¶

Test these:

https://yourdomain.com/ (homepage)
https://yourdomain.com/wp-admin/ (WordPress admin)
A static file like https://yourdomain.com/favicon.ico

If only one path is affected, it’s likely a rule in .htaccess or a directory permission issue.

Step 2: Check permissions (most common)¶

Safe defaults: - Folders: 755 - Files: 644

In cPanel → File Manager: 1. Navigate to your site root (usually public_html/). 2. Right-click the folder → Change Permissions. 3. Apply recursively: - Directories to 755 - Files to 644

Warning

Avoid 777. It’s not a “fix”, it’s a vulnerability.

Step 3: Confirm an index file exists¶

If a directory has no index file, many servers return 403.

In public_html/, make sure you have one of: - index.php (WordPress, PHP sites) - index.html (static sites)

If your site is in a subfolder (example: /public_html/site/), the index must be inside that folder.

Step 4: Review .htaccess rules¶

A restrictive rule can block access instantly.

Quick test¶

In File Manager, rename .htaccess to .htaccess.bak.
Reload the page.

If the 403 disappears, the rule is inside .htaccess.

Common culprits: - deny from all - IP allowlists that don’t include your IP - misplaced WordPress rewrite rules

If WordPress, restore a default .htaccess and re-test.

Step 5: Check for cPanel security blocks (IP / hotlink / protection)¶

Hotlink Protection¶

If your images or assets are blocked: 1. cPanel → Security → Hotlink Protection 2. Temporarily disable and test

Directory Privacy (Password-protected folders)¶

If a folder is password protected: 1. cPanel → Files → Directory Privacy 2. Check whether the folder is locked unintentionally

IP Blocker¶

If your IP is blocked: 1. cPanel → Security → IP Blocker 2. Remove the rule or ask GOZEN HOST to confirm your IP is not blocked upstream

Step 6: WordPress-specific checks¶

Plugin security rules (Wordfence, iThemes, etc)¶

Security plugins can block admin access with a 403.

Fast test: 1. Rename wp-content/plugins → plugins.off 2. Re-test /wp-admin/

If it works, enable plugins one-by-one.

WAF/CDN rules¶

If you use Cloudflare or another WAF: - Check security events and firewall rules - Temporarily relax the rule and re-test

When to escalate to GOZEN HOST Support¶

Open a ticket if: - Permissions and .htaccess checks didn’t fix it - The 403 started immediately after a migration - You suspect a server-level security policy (WAF) is blocking you

Include: - The exact URL returning 403 - Your public IP - What changed just before it started

Summary¶

Most 403 errors come from permissions, missing index files, or .htaccess access rules. Fix in this order: permissions → index file → .htaccess → cPanel security settings → WordPress plugin/WAF.