Back to Community
Home / Community / General

Resolving 403 Forbidden Errors Caused by Solid Security

26 threads Sep 10, 2025

Content

Encountering a 403 Forbidden error on your WordPress site can be alarming, especially when it seems linked to the Solid Security plugin. This comprehensive guide explains the common causes and provides step-by-step solutions to regain access to your site.

What is a 403 Forbidden Error?

A 403 status code means the server understood the request but refuses to authorize it. When related to Solid Security, this is typically a security feature actively blocking what it perceives as a malicious or suspicious request.

Common Causes and Solutions

1. Locked Out of Your Entire Site (Frontend and WP-Admin)

Symptoms: Every page on your site, including the WordPress login page, displays a Solid Security lockout message.

Immediate Solution: Since you cannot access the admin area, you must disable the plugin via your hosting file manager or SFTP/FTP client.

  1. Connect to your site's file system.
  2. Navigate to the wp-content/plugins directory.
  3. Rename the better-wp-security folder to something like better-wp-security-off.
  4. This will deactivate the plugin and should instantly restore access to your site.
  5. Log in to WordPress, rename the folder back, and reactivate the plugin. The lockout condition often resolves after this reset.

2. Blocked File Downloads or Functionality

Symptoms: Specific actions, like downloading files from a form plugin or connecting external software, return a 403 error.

Solution: This is often caused by the System Tweaks module. Navigate to Security > Settings > Advanced > System Tweaks and disable the following settings, testing after each one:

  • PHP Execution: Disable PHP in Plugins
  • Filter Suspicious Query Strings in the URL
  • Filter Long URL Strings

3. Blocked Admin-Ajax or REST API Requests

Symptoms: Features that rely on AJAX (like page builders) or the REST API fail with 403 errors, often breaking the WordPress admin.

Solution: The Banned Users module's default list can be overly aggressive.

  1. If you can access the settings, go to Security > Settings > Features > Firewall tab > Ban Users.
  2. Disable the Default Ban List setting.
  3. Save changes.

4. Cannot Access Solid Security's Settings Page

Symptoms: You can access the WordPress admin but receive a "Sorry, you are not allowed to access this page" or "The link you followed has expired" error when trying to open the Security settings.

Solution: A confirmed workaround involves editing a plugin file. In the file wp-content/plugins/better-wp-security/core/admin-pages/page-settings.php, find line ~45 and make the following change:

Original Code:
if ( ! empty( $_POST ) && ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) ) {

Change to:
if ( ! empty( $_POST['itsec-nonce'] ) && ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) ) {

This change has been reported to instantly restore access to the settings page.

Advanced Troubleshooting: Using the wp-config.php File

If you cannot access your site's backend or file system to rename the plugin, you can disable Solid Security's modules by adding code to your wp-config.php file.

  1. Access your wp-config.php file via SFTP/FTP or your host's file manager.
  2. Insert the following lines of code above the line that says /* That's all, stop editing! Happy publishing. */.
  3. Ensure you use straight apostrophes ' and not curly quotes ‘’.
define('ITSEC_DISABLE_MODULES', true);
define('ITSEC_DISABLE_TWO_FACTOR', true);

This will disable the plugin's active protection, allowing you to log in and reconfigure your settings.

Checking Server Logs

For persistent or unclear 403 errors, your server's error logs are the best source of truth. They can confirm if Solid Security is the cause and often provide the specific rule that triggered the block. Contact your hosting provider for assistance in locating and interpreting these logs.

Conclusion

While 403 errors from Solid Security can be disruptive, they are almost always a sign that the plugin's security features are working—sometimes too well. The solutions above, from temporarily disabling the plugin to adjusting specific settings, will help you resolve the conflict while maintaining your site's security. Always remember to make backups before editing core files.

Related Support Threads Support