Guides

HTTP 403 Forbidden: What It Means & How to Fix It

On this page
  1. What does 403 Forbidden mean?
  2. What causes a 403 error?
  3. How to fix a 403 error
  4. If you’re a visitor
  5. If you own the site
  6. Does a 403 hurt SEO?
  7. The bottom line

HTTP 403 Forbidden means the server understood your request perfectly well — and is refusing to let you have it. Unlike a 404 (the page isn’t there) or a 401 (you need to log in), a 403 says “this exists, but you’re not allowed.” It’s a deliberate refusal, and fixing it is about finding what rule is doing the refusing. Here’s what causes a 403 and how to fix each case.

What does 403 Forbidden mean?

A 403 is a client-side (4xx) status meaning access is denied. The server received and understood the request but won’t fulfill it, and — unlike a 401 Unauthorized — logging in usually won’t help, because the refusal isn’t about authentication. Something is explicitly blocking access to that resource.

The quick way to place it:

  • 401 Unauthorized → “you need valid credentials” (log in).
  • 403 Forbidden → “even with credentials, you’re not permitted here.”
  • 404 Not Found → “there’s nothing here at all.”

What causes a 403 error?

The usual culprits, whether you’re a visitor or the site owner:

  • File or folder permissions. The server’s file permissions don’t allow reading the resource (on Linux, wrong chmod values are the classic cause).
  • A missing index file. A directory with no index.html/index.php and directory listing disabled returns 403.
  • .htaccess or server rules. A Require all denied, an IP block, a hotlink-protection rule, or a bad rewrite can forbid access.
  • IP or geo blocking. A firewall, security plugin, or CDN (like Cloudflare) is blocking your IP, country, or user-agent.
  • A WAF / bot rule. Security rules that mistake a request for an attack — a common cause of 403s for scrapers, bots, and sometimes legitimate crawlers.
  • Expired or hotlink-protected assets. Signed URLs that expired, or images configured to block off-site embedding.

How to fix a 403 error

If you’re a visitor

  1. Refresh and re-check the URL — a typo or a link to a restricted path is common.
  2. Clear cookies/cache or try incognito — a stale session can trigger it.
  3. Try a different network or disable a VPN — the block may be on your IP or region.
  4. If it persists, the block is the site’s to fix — contact them.

If you own the site

  1. Check file permissions. Files typically 644, directories 755. A resource set to 000 or otherwise unreadable will 403.
  2. Confirm an index file exists (or that directory listing is intentionally on/off).
  3. Inspect .htaccess / server config for deny/Require all denied rules, bad rewrites, or hotlink protection blocking legitimate requests.
  4. Review your security plugin, firewall and CDN for IP, country, or user-agent blocks — especially if only some visitors or bots get 403s.
  5. Check the logs. Your server (and CDN) logs will usually name the exact rule or module that returned the 403 — the fastest route to the cause.

Does a 403 hurt SEO?

It can, if you’re serving 403s to Googlebot. If Google’s crawler is blocked from pages you want indexed — often by an over-eager security rule or firewall that flags the crawler as a bot — those pages can’t be crawled or ranked, and can drop out of the index. It’s worth checking your logs and CDN for crawlers getting 403s; the same issue affects AI crawlers, which I cover in how to block (or allow) AI crawlers. Accidentally blocking bots you want is a recurring theme in technical SEO in the AI era.

The bottom line

A 403 is a refusal, not a missing page — the resource is there, but a rule is blocking access. Track down the rule: permissions, a missing index file, an .htaccess/firewall directive, or an IP/bot block. Your logs almost always name the culprit. Fix that rule and the 403 clears.

If clear technical answers are useful, I send them occasionally — subscribe below, and grab the free GEO Starter Checklist.

Frequently asked questions

What does HTTP 403 Forbidden mean?

It means the server understood your request but refuses to authorize it — the resource exists, but a rule denies access. Unlike a 401 (which asks you to log in), logging in usually will not help a 403, because the refusal is not about authentication.

How do I fix a 403 Forbidden error on my site?

Check file permissions (files 644, directories 755), make sure an index file exists, and inspect your .htaccess or server config for deny rules, bad rewrites, or hotlink protection. Then review your security plugin, firewall and CDN for IP, country or user-agent blocks. Your server logs usually name the exact rule.

What is the difference between 401 and 403?

401 Unauthorized means you need valid credentials — logging in can fix it. 403 Forbidden means access is denied even with credentials; a rule is blocking the resource regardless of who you are. And 404 means the resource does not exist at all.

Can a 403 error affect my Google rankings?

Yes, if Googlebot is the one getting the 403. If a security rule or firewall blocks the crawler from pages you want indexed, Google cannot crawl them and they can drop from the index. Check your logs and CDN for crawlers receiving 403s.

Published Last updated

← All posts

navigate openesc close