How to Fix 403 Forbidden & 404 Not Found Errors

A 403 Forbidden error means the server understood your request but refuses to serve it, usually from wrong file permissions, an .htaccess deny rule, a missing index file, or a security block. A 404 Not Found means the server cannot find the page, often from broken permalinks, moved content, or a mistyped URL.

Key takeaways

  • 403 = "you can't have this." Access is blocked. Check folder permissions (755), file permissions (644), .htaccess, and security plugins or firewalls.
  • 404 = "this isn't here." The address points to nothing. Reset permalinks, fix the URL, or add a redirect to the new location.
  • One page or the whole site? A single broken page usually points to content or a URL; a site-wide error usually points to permalinks, .htaccess, or permissions.
  • Back up first. Always save a copy of your files and database before editing .htaccess or changing permissions.
  • Most 403 and 404 errors are your side and fixable in minutes; a few 403s come from the host's security layer.

The problem: "Forbidden" or "Not Found" instead of your page

You clicked a link or typed an address, and instead of your website you see a bare error page. A 403 Forbidden tells you the server received the request and deliberately said no. A 404 Not Found tells you the server looked for the page and came up empty. Both are HTTP status codes, the short numeric replies a web server sends with every response.

This guide is for site owners, WordPress users, and anyone managing their own hosting who wants to know exactly why the error appeared and how to clear it. The good news: both errors are common, and most are fixed in a few minutes once you know which cause you have. If you want the wider picture of what each status code means, our server errors guide covers the full family, including how 403 and 404 differ from a 500 internal server error.

How to tell what's causing it

Before changing anything, run two quick checks. They tell you where to point your effort and stop you from editing files you don't need to touch.

Check 1: one page, or the whole site? Open your homepage and two or three other pages. If only one page fails, the cause is almost always that single page's content, its URL, or a rule aimed at it. If every page fails, the cause is usually site-wide: broken permalinks, a bad .htaccess rule, or a permissions problem across your folders.

Check 2: is it 403 or 404? Read the number on the screen. A 403 is a permission or access problem, so you look at file permissions, deny rules, and security tools. A 404 is a missing-resource problem, so you look at URLs, permalinks, and redirects. Clearing your browser cache and trying an incognito window rules out a stale local copy.

Is it your site or your host? Permissions, .htaccess rules, missing index files, and security plugins are all your side, and you can fix them from your dashboard or file manager. A 403 that appears site-wide from the server's ModSecurity (a firewall that inspects web requests) or from your IP address being blocked is host side. If your own checks come back clean and the error is server-wide, contact your host and ask whether a firewall rule or IP block is involved.

What's actually happening

403 Forbidden: the server refuses to authorize the request

A 403 Forbidden means the request was valid and understood, but the server will not authorize access to that resource. The page or folder exists; you are simply not allowed to see it. Common causes include:

  • Incorrect file or folder permissions. Permissions are the read, write, and run rules attached to every file. If a folder or file is set too tight, the web server can't open it and returns 403.
  • A deny rule in .htaccess. The .htaccess file is a per-folder settings file on Apache servers. A Deny from or Require all denied line, or a corrupted file, can block access.
  • A missing index file. If a folder has no index.php or index.html and directory listing is turned off, the server refuses to show the folder.
  • Your IP address is blocked. A firewall may have added your address to a block list after failed logins or unusual activity.
  • An over-aggressive security plugin. A WordPress security or firewall plugin can flag a legitimate request and refuse it.
  • The host's ModSecurity rules. A server-level firewall can block requests that match its patterns, even when your site is fine.

404 Not Found: the server can't find the resource

A 404 Not Found means the server looked for the requested page or file and could not find it at that address. Nothing is broken about your permissions; the path simply leads nowhere. Common causes include:

  • Broken permalinks. Permalinks are the readable URL structures WordPress builds for your posts and pages. If the rules that map those URLs to content break, requests land on nothing.
  • Deleted or moved content. A post you removed or renamed no longer answers at its old address.
  • A mistyped URL. A single wrong character, or a link with a typo, points at a page that doesn't exist.
  • A missing rewrite rule in .htaccess. The rewrite rules translate pretty URLs into real file requests. If they're gone, pretty URLs return 404.
  • Caching serving an old link. A cache can keep pointing visitors at a URL you already changed or removed.

Your options at a glance

Match the error to the most likely cause before you start. This table shows where to look first for each situation.

What you seeMost likely causeWhere to start
403 on the whole sitePermissions or a bad .htaccess ruleCheck folder/file permissions, then regenerate .htaccess
403 on one folderMissing index file or a deny ruleAdd an index file; inspect .htaccess
403 after logging in a few timesSecurity plugin or IP blockPause the security plugin; ask your host about IP blocks
404 on every page except the homepageBroken permalinksReset permalinks (Settings → Permalinks → Save)
404 on one pageDeleted, moved, or mistyped URLConfirm the URL; restore content or add a redirect

How to fix it, step by step

Fixing a 403 Forbidden error

  1. Back up first. Save a full copy of your files and database before you change anything. Our website backups guide shows how, so a mistake is always reversible.
  2. Check file and folder permissions. In your host's file manager or over SFTP, set folders to 755 and files to 644. These are the safe defaults the web server expects.
  3. Inspect .htaccess for deny rules or corruption. Look for lines such as Deny from all or Require all denied. To rule out a corrupted file, rename it to .htaccess_old so the server regenerates a clean one. In WordPress, open Settings → Permalinks and click Save Changes to rebuild it.
  4. Make sure the folder has a valid index file. Confirm an index.php or index.html exists in the folder that fails. Without one, the server can return 403.
  5. Temporarily deactivate security plugins or firewalls. Pause any security or firewall plugin that might be blocking you, then reload the page. If it clears, that plugin's rules were the cause, and you can adjust them.
  6. Ask your host about ModSecurity or an IP block. If the error is still there and site-wide, contact support and ask whether the server firewall (ModSecurity) or an IP block is refusing your requests.

Fixing a 404 Not Found error

  1. Confirm the URL is correct. Re-read the address for typos, extra characters, or a wrong slug. Type it directly into the browser to rule out a bad link.
  2. Reset permalinks. In WordPress, go to Settings → Permalinks and click Save Changes without changing anything. This rebuilds the URL rules and is the most common fix for site-wide 404s.
  3. Regenerate .htaccess. If resetting permalinks doesn't help, rename .htaccess to .htaccess_old and save permalinks again so a fresh file with the correct rewrite rules is created.
  4. Restore the content or add a redirect. If the page was deleted or moved, either restore it or add a 301 redirect (a permanent forward) from the old URL to the new one so visitors and search engines land in the right place.
  5. Clear caches. Empty your site cache, any caching plugin, and your CDN, then reload. A stale cache can keep serving a link you already fixed.

Common mistakes to avoid

Never set permissions to 777. A 777 permission lets anyone read, write, and run a file, which is a serious security risk and often does not even fix the 403. Stick to 755 for folders and 644 for files.

Two more mistakes cause the most avoidable damage:

  • Deleting content without adding a redirect. When you remove or move a page and leave nothing behind, every old link now returns a 404. That frustrates visitors and hurts your search rankings. Add a 301 redirect to the new location instead.
  • Editing .htaccess without a backup. One wrong line in .htaccess can take the whole site down. Always copy the file first, so you can paste the original back if something breaks.

How to prevent it in future

A little routine keeps both errors rare:

  • Set up redirects whenever URLs change. Any time you rename, move, or delete a page, add a 301 redirect from the old address to the new one. This is the single best habit for avoiding 404s.
  • Keep .htaccess clean. Only add rules you understand, comment what each block does, and keep a known-good copy. A tidy file rarely triggers a 403.
  • Use a 404-monitoring approach. Check your analytics or a broken-link tool regularly to catch dead URLs early, then fix or redirect them before visitors hit them.
  • Back up on a schedule. Regular backups mean any permissions or .htaccess mistake is a quick restore, not a crisis. See the website backups guide to automate it.
  • Review plugin and PHP settings after changes. If access rules or scripts start misbehaving, our PHP settings guide helps you confirm your configuration is sound.

Frequently asked questions

What's the difference between a 403 and a 404 error?

A 403 Forbidden means the page exists but the server refuses to let you access it, usually because of permissions, a deny rule, or a security block. A 404 Not Found means the server looked for the page and it isn't there. In short: 403 is "you can't have this," and 404 is "this isn't here."

Why do I get a 404 on all pages except the homepage?

This classic pattern almost always means broken permalinks. The homepage loads because it doesn't rely on the URL rewrite rules, but every other page does. Go to Settings → Permalinks in WordPress and click Save Changes to rebuild the rules. If that alone doesn't work, regenerate your .htaccess file.

How do permalinks cause 404 errors?

Permalinks are the readable URLs WordPress creates for your content. Behind the scenes, rewrite rules map each pretty URL to the right post or page. If those rules are missing or corrupted, the pretty URLs point at nothing and return a 404. Resaving your permalink settings rewrites the rules and usually fixes it.

Is a 403 error my host blocking me?

Sometimes. Many 403s are your side, from permissions, an .htaccess deny rule, a missing index file, or a security plugin. But a site-wide 403 that survives your own checks can be host side, caused by the server firewall (ModSecurity) or an IP block. If your checks are clean and the whole site is forbidden, ask your host to review their firewall and block lists.

Does a 404 error hurt my SEO?

A few 404s are normal and won't harm your site. The problem is leaving many broken URLs, especially ones that used to rank or that other sites link to. Those lose value and frustrate visitors. Add a 301 redirect from each important old URL to its new location to keep both readers and search engines on track.

I fixed the error but still see it. Why?

Your browser or a caching layer is probably showing an old copy. Clear your browser cache, try an incognito window, and empty any caching plugin and your CDN. Once caches refresh, the corrected page should load normally.

Summary

A 403 Forbidden is an access problem: work through permissions (755 and 644), .htaccess deny rules, a missing index file, and security tools, then ask your host about ModSecurity or an IP block. A 404 Not Found is a missing-page problem: confirm the URL, reset permalinks, regenerate .htaccess, restore or redirect the content, and clear caches. Back up before you edit anything, and set redirects whenever URLs change.

Next step: broaden your troubleshooting with the server errors guide to handle the rest of the HTTP status codes with the same calm, step-by-step approach.

References

  • MDN Web Docs — HTTP response status codes (403 Forbidden, 404 Not Found).
  • WordPress documentation — Using Permalinks and the .htaccess file.
  • Apache HTTP Server documentation — authorization, access control, and mod_rewrite.
Bitrich777 Hosting Team
About the author

The editorial team behind the Bitrich777 Hosting Help Center — practical, tested guides on web hosting, WordPress, servers, DNS, SSL, email, security and migration. Every walkthrough is reproduced on a live host before it is published.

Spotted an error? Tell us