Back to Community
Home / Community / PluginAll-in-one security (aios) – security and firewall

Resolving 403 Errors and Blocked Access Caused by All-In-One Security (AIOS)

31 threads Sep 9, 2025 PluginAll-in-one security (aios) – security and firewall

Content

Many users of the All-In-One Security (AIOS) plugin report encountering 403 Forbidden errors or find that legitimate services like Googlebot, uptime monitors, or third-party login systems are unexpectedly blocked. This is a common point of confusion, but it's almost always caused by a specific security rule within the plugin being too strict for a particular site's needs.

This guide will help you understand why this happens and walk you through the most effective troubleshooting steps to resolve the issue while maintaining your site's security.

Why Does AIOS Block Legitimate Traffic?

The AIOS plugin is designed to protect your website by implementing a wide range of security rules that filter out malicious requests. However, some legitimate bots or complex web services can sometimes exhibit behavior that mimics these malicious patterns, triggering a block. The most common culprits are firewall rules that scrutinize query strings, user-agents, and HTTP headers.

How to Identify and Fix the Blocking Issue

The best way to troubleshoot is by methodically testing your AIOS settings. Before you begin, it is highly recommended to clear your site's cache (if you use a caching plugin) after each change to ensure you are testing with the latest configuration.

  1. Confirm AIOS is the Cause
    Temporarily disable the AIOS plugin. If the issue disappears, you can confirm AIOS was the source. Remember to re-enable the plugin immediately after confirming to continue troubleshooting.
  2. Disable Common Offending Rules
    The following rules are frequently responsible for blocking legitimate traffic. Navigate to WP Security > Firewall and try disabling these features one by one, testing after each change:
    • PHP Rules Tab: Uncheck "Deny bad query strings"
    • PHP Rules Tab: Uncheck "Enable advanced character string filter"
    • 6G Blacklist Firewall Rules Tab: Uncheck "Enable legacy 5G firewall protection"
    • 6G Blacklist Firewall Rules Tab: Uncheck "Enable 6G firewall protection"
  3. Check Internet Bot Settings
    Go to WP Security > Firewall > Internet Bots tab. If you are having issues with services like Google Search Console or uptime monitors, try disabling these settings:
    • Uncheck "Block fake Googlebots"
    • Uncheck "Ban POST requests that have a blank user-agent and referer"
  4. Check for Comment Spam Cookies
    If your issue is related to GDPR compliance because of unexpected cookies (e.g., randomly named cookies like '5pi9uly7'), this is caused by the comment spam feature. You can disable it by going to WP Security > Spam Prevention > Comment Spam and unchecking "Detect spambots posting comments".
  5. Whitelist Specific IPs (For Monitoring Services)
    If you need to allow a specific service like UptimeRobot, you may need to allowlist its IP addresses. Find the service's published IP list (e.g., from their support documentation) and add them to the Allow List in WP Security > Firewall > Advanced Settings.

When the Issue is Country Blocking

The sample threads indicate that the premium Country Blocking feature can sometimes interfere with site analysis tools, causing errors like "The page did not paint any content" in Lighthouse. It can also block VPN traffic even if the VPN exit node is in an allowed country. If you use this feature and encounter problems, testing by temporarily disabling it is a key diagnostic step. The free version of AIOS does not include country blocking.

Conclusion

Finding the right balance between security and accessibility can require some fine-tuning. By patiently working through the most common settings listed above, you can almost always pinpoint the rule causing the conflict. The goal is to disable only the specific rules that are causing problems for your legitimate traffic, leaving the rest of the plugin's robust security features active to protect your site.

Related Support Threads Support