The WordPress login page of one of the sites that I maintain was struck by the dreaded “Forbidden” error message earlier today. I thought it was odd, because I knew I hadn’t changed anything. So after Googling about a bit, I came up with 3 consistent suggestions for what could be the problem.
Folder/file permissions
For WordPress all folders should be set to 755 and all files should be 644. I’m not going to explain how to do this, loads of other sites already have this covered, but please be careful if you’re not sure what you’re doing as this can be a little dangerous. For me, this did not solve the problem.
Plugins
The next suggestion was a dodgy plugin, probably a security one. Well I do like to use WebARX, which is a great security plugin, and does have login protection options, so seemed like a viable candidate. However, disabling all the plugins did not resolve the problem (tip: rename the “plugins” and “mu-plugins” folders via FTP to do this quickly and easily).
.htaccess File
The last popular option was a corrupt .htaccess file. Again, the quickest way to check is to simply rename the file and then try to access the site again, which didn’t make a difference.
So just to be sure, I did all 3 at once! And no, crossing my fingers whilst I hit refresh didn’t help either. Worth a try though, right?
Eventually, after quite a bit of research (and reading about these 3 suggestions several times, ad nauseum) I stumbled across a fourth suggestion.
.htaccess File – part 2
Back to the .htaccess file, but this time to add a specific snippet…
<Files wp-login.php>
Allow from all
</Files>
This is specifically telling the server to allow access to this file from all IP addresses. Of course you could tweak this to only allow from specific IP addresses, but as most of us are on the go these days, accessing from a static IP address instead of whichever hotel/airport/cafe wifi we happen to be connected to at the time, is rather unlikely.
It looks like the host may have denied access to this file because it was getting targeted, but this snippet should keep it accessible. No more “Forbidden” errors.