403 Forbidden
A 403 Forbidden error means the server understood your request but refuses to serve the page. Unlike a 500 error, the site is working — the server is deliberately denying access. Here are the common reasons and how to fix each one.
File & Directory Permissions
If a file or folder has the wrong permissions, the server cannot read it and returns a 403. The safe standard values are:
- Files —
644 - Directories —
755
- Open File Manager in cPanel.
- Right-click the affected file or folder and choose Change Permissions.
- Set files to
644and directories to755.
600 on a public file) cause a 403. Do not overcorrect to 777 — that is a security risk and is not the right fix.
Missing Index File or Directory Listing Disabled
When you visit a folder with no index.html or index.php, the server tries to list its contents. Directory listing is disabled by default for security, so you get a 403 instead.
- Make sure your home page is named
index.htmlorindex.phpand sits in the correct folder (usuallypublic_html). - If you intentionally want a folder to list its files, that is generally not recommended, but you can enable it with an
.htaccessdirective. Leave it off for anything sensitive.
Directory Privacy (Password Protection)
If you enabled Directory Privacy on a folder, visitors are prompted for a username and password. A misconfigured or forgotten password protection can present as a 403.
- In cPanel, open Directory Privacy.
- Browse to the folder in question and check whether protection is enabled.
- Disable it if it was left on by mistake, or reset the user's password.
See Directory Privacy for the full setup and removal steps.
An IP, Firewall, or ModSecurity Block
The server firewall or the ModSecurity web application firewall may be blocking a specific IP address or request that looks abusive. This is common if you triggered a security rule — for example by submitting a form with content that looks like an attack, or after too many failed logins.
- Try loading the site from a different network or mobile data. If it works, your IP is likely blocked.
- A ModSecurity block usually mentions the rule in your error log at Metrics > Errors.
- If you believe the block is a false positive, open a support ticket with your IP address and the time of the block so we can review it.
For a deeper explanation of what triggers these blocks and how to clear them, see Firewall Blocks.
Hotlink Protection
Hotlink protection stops other websites from embedding your images directly. If it is misconfigured, it can also block your own pages or legitimate requests, showing a 403 where an image should be.
- In cPanel, open Hotlink Protection.
- Confirm your own domain (with and without
www) is in the allowed list. - Add any CDN or subdomain hostnames that need to load your assets.
See Hotlink Protection to configure the allow list correctly.
Still Seeing a 403?
If none of the above resolves it, note the exact URL that fails and check Metrics > Errors for the matching log line. Then open a support ticket with those details and your current IP address, and we will investigate.