Back to Community
Home / Community / General

Resolving Common Conflicts: When Solid Security Blocks PDFs, Images, and AJAX

24 threads Sep 10, 2025

Content

Solid Security (formerly iThemes Security) is a powerful plugin for hardening your WordPress site. However, its robust security features can sometimes be a bit too effective, inadvertently blocking legitimate functionality like PDF generation, image display, and AJAX form processing. This guide will help you understand why these conflicts happen and walk you through the most common solutions to get everything working smoothly again.

Why Does This Happen?

Solid Security protects your site by implementing a series of rules, often written into your .htaccess file. These rules are designed to block common attack vectors, such as:

  • Malicious Query Strings: Blocking URLs that contain suspicious patterns often used in attacks.
  • PHP Execution: Preventing PHP files from running in directories where they shouldn't, like /wp-content/uploads/.
  • Banned User Agents: Blocking requests that have an empty or malicious User Agent string.
  • Direct File Access: Restricting access to sensitive files.

The problem arises when legitimate processes, like a PDF library generating an image or an AJAX call from a form, exhibit behavior that mimics these threats, triggering a 403 Forbidden error.

Common Solutions to Try

Based on community reports and solutions, here are the most effective troubleshooting steps. Always test after each change to identify the specific culprit.

1. Disable the Default Ban List

This is one of the most common fixes for issues with PDFs and images not loading. The default ban list includes a rule that blocks requests with an empty user agent. Some PDF generation libraries and other plugins make internal server requests that lack a user agent, causing them to be blocked.

How to do it: Navigate to Security > Settings > Configure > Lockouts. Find the "Default Ban List" setting and disable it.

2. Adjust System Tweaks (PHP Execution)

Solid Security can disable PHP execution in certain directories for security. If a plugin or theme needs to run a legitimate PHP script from within a directory like /wp-content/ or /wp-content/plugins/, this will block it.

How to do it: Go to Security > Settings > Advanced > System Tweaks. Try disabling the following options one at a time:

  • Disable PHP in Plugins
  • Disable PHP in Themes
  • Disable PHP in Uploads

3. Disable Suspicious URL Filtering

If your issue is specifically with accessing files (like PDFs) via a URL that contains a query string, this feature might be the cause.

How to do it: Navigate to Security > Settings > Advanced > WordPress Tweaks. Look for the setting "Filter Suspicious Query Strings in the URL" and disable it.

4. Check WordPress Tweaks and API Access

Some AJAX and REST API functionality can be impacted by these settings.

How to do it: In Security > Settings > Advanced > WordPress Tweaks > API Access, ensure that "XML-RPC" is enabled and "Default Access" is selected for the REST API.

Advanced Troubleshooting: The Plugin Conflict Check

If the steps above don't resolve your issue, the next step is to perform a full conflict check to isolate the problem.

  1. Deactivate all Solid Security features: Go to Security > Settings. Use the "Disable All Features" button. If the problem goes away, you know a Solid Security feature is the cause. You can then re-enable features one by one to find the specific one.
  2. Check for plugin/theme conflicts: Temporarily switch to a default WordPress theme (like Twenty Twenty-Four) and disable all other plugins except Solid Security. If the issue is resolved, re-enable your plugins one by one to identify which one is conflicting.

Important Note

It's important to remember that while disabling a security feature can resolve a conflict, it may also slightly reduce your site's protection. The Solid Security team designs these features for maximum security, so only disable what is necessary to restore functionality. Always ensure your other security measures are strong.

By methodically working through these common solutions, you can find the right balance between robust security and full website functionality.

Related Support Threads Support