• BDIX
    • BDIX Shared Hosting
    • BDIX Turbo Web Hosting
    • BDIX Reseller Hosting
  • Hosting
    • Singapore Web Hosting
    • WordPress Hosting
    • USA Shared Hosting
    • Business Email Hosting
    • Cheap Shared Hosting
    • Turbo Hosting
  • Reseller Hosting
    • Singapore Reseller Hosting
    • USA Reseller Hosting
  • VPS Hosting
    • Cheap BDIX VPS
    • BDIX Windows VPS
    • Cheap VPS
    • USA Survey RDP
    • USA VPS
    • Singapore VPS
    • Germany VPS
  • Domain
    • Register Domain
    • Transfer Domain
    • Domain Promos
Linkedin Twitter Youtube Facebook
  • support@prenhost.com
  • Hosting Flash Sale: Starting at $0.43/mo for a limited time
  • WhatsApp Support
  • Login
newph-transperent- newph-transperent-
  • BDIX
    • BDIX Shared Hosting
    • BDIX Turbo Web Hosting
    • BDIX Reseller Hosting
  • Hosting
    • Singapore Web Hosting
    • WordPress Hosting
    • USA Shared Hosting
    • Business Email Hosting
    • Cheap Shared Hosting
    • Turbo Hosting
  • Reseller Hosting
    • Singapore Reseller Hosting
    • USA Reseller Hosting
  • VPS Hosting
    • Cheap BDIX VPS
    • BDIX Windows VPS
    • Cheap VPS
    • USA Survey RDP
    • USA VPS
    • Singapore VPS
    • Germany VPS
  • Domain
    • Register Domain
    • Transfer Domain
    • Domain Promos
Client Area
Client Area

How to Fix WordPress wp-admin 403 Forbidden Error on LiteSpeed + cPanel Servers

by sajibe
June 27, 2026
Web Hosting, WordPress

You log into your website, type /wp-admin in the browser, and instead of your WordPress dashboard — you get hit with this:

403 Forbidden
Access to this resource on the server is denied!

Frustrating, right? Especially when your site’s front-end loads perfectly fine, but the admin panel is completely locked out.

This is one of the most common issues we encounter at Prenhost, particularly on servers running WHM + cPanel + LiteSpeed + CSF + Imunify360. In this guide, we’ll walk you through exactly what causes it and how to fix it — fast.


What Does a 403 Forbidden Error Actually Mean?

A 403 error is not a WordPress error. It’s a web server-level refusal — the server received your request but actively decided to deny it. This is different from a 404 (page not found) or a 500 (server crash).

Since it happens at the server layer, WordPress itself never even loads — which is why standard WordPress fixes like deactivating plugins from inside the dashboard won’t work if you’re fully locked out.

The 403 can come from several different layers in a typical cPanel hosting stack:

  • Firewall (CSF)
  • Security suite (Imunify360)
  • Web Application Firewall (ModSecurity)
  • Web server rules (LiteSpeed / Apache)
  • .htaccess file rules
  • File permission errors

Your job is to find which layer is responsible.


Step 1 — Check Your Server Error Logs First

Before touching anything, look at the logs. They’ll usually tell you exactly what’s blocking the request.

Via SSH as root:

grep "are-bd.com" /usr/local/apache/logs/error_log | grep "403" | tail -20
grep "403" /usr/local/lsws/logs/error.log | tail -30

Look for keywords like mod_security, imunify, deny, bot detected, FilesMatch, or OverConnLimit. Each of these points to a different culprit.


Step 2 — Check Imunify360 for Blocked IPs

Imunify360 is often the first thing to check on cPanel servers. It auto-blocks IPs that trigger too many failed login attempts or suspicious behaviour — and it can silently lock you out of wp-admin without any warning.

In WHM:

  1. Go to Imunify360 → Incidents
  2. Search for your current IP address
  3. If found, click Move to White List
  4. Also navigate to Imunify360 → White List and add your IP permanently

Also check Imunify360 → Proactive Defense. If this is set to Kill Mode, it can inject restrictions directly into your WordPress files — including your .htaccess. Change it to Log Only temporarily to test.


Step 3 — Check CSF Firewall

ConfigServer Firewall (CSF) can temporarily or permanently block your IP if it detects repeated login attempts or connection spikes.

Via SSH as root:

csf -g YOUR.IP.ADDRESS

If your IP shows up in any deny chain, whitelist it immediately:

csf -a YOUR.IP.ADDRESS

You can find your current public IP by visiting whatismyip.com.


Step 4 — Disable ModSecurity (to test)

ModSecurity is a Web Application Firewall that sometimes flags legitimate WordPress login and admin requests as threats — especially POST requests to wp-login.php.

In cPanel:

  1. Go to Security → ModSecurity
  2. Toggle it Off for your domain
  3. Wait a few minutes and test wp-admin

If you can now log in, ModSecurity was the culprit. Re-enable it and check the error log for the specific Rule ID that triggered, then whitelist that rule rather than leaving ModSecurity fully disabled.


Step 5 — The Most Common Hidden Cause: wp-admin/.htaccess

This is the fix that resolved a real case we handled at Prenhost — and it’s surprisingly easy to miss.

WordPress creates an .htaccess file in your site root (public_html), but it should never have a restrictive .htaccess inside the wp-admin folder. If one exists with the following code, it will block every PHP file in wp-admin — including the login page itself:

<FilesMatch ".(py|exe|php)$">
  Order allow,deny
  Deny from all
</FilesMatch>

This rule looks like a security measure, but it’s actually denying access to all .php files in wp-admin — which means nobody can access the admin panel at all.

How to Find and Fix It

Check if it exists:

cat /home/USERNAME/public_html/wp-admin/.htaccess

Remove it safely (backup first):

mv /home/USERNAME/public_html/wp-admin/.htaccess /home/USERNAME/public_html/wp-admin/.htaccess.bak

Test your wp-admin immediately after. In most cases, this single fix restores access instantly.

How Did This Code Get There?

This is the question everyone asks. The most common sources are:

  • Imunify360 Proactive Defense (Kill Mode) — injects hardening rules into .htaccess files automatically
  • WordPress security plugins — iThemes Security, All In One WP Security, and Sucuri can add file protection rules that inadvertently block PHP execution
  • Manual security hardening — a developer or admin following a security guide that added this rule without realising it blocks all PHP files
  • Malware — attackers sometimes add Deny from all to lock the real owner out of wp-admin while maintaining their own backdoor access

Step 6 — Check LiteSpeed-Specific Settings

If none of the above resolved the issue, LiteSpeed itself may be the cause.

In LiteSpeed WebAdmin Console (port 7080):

  • Go to Configuration → Server → Security
  • Check Restricted Permission Mask — it should not be higher than 644
  • Check Per-Client Throttle — if Connection Soft/Hard limits are too low, your IP gets flagged as a bot and receives a 403
  • Temporarily disable WordPress Protection under the same section to test

Also check for GeoIP blocking — if your country is in a blocked region, wp-admin requests will be denied at the LiteSpeed level.


Step 7 — Fix File Permissions

Incorrect permissions are another common 403 trigger. WordPress has a standard set of recommended permissions:

TypeCorrect Permission
Files644
Directories755
wp-config.php600

Reset permissions via SSH:

find /home/USERNAME/public_html -type f -exec chmod 644 {} \;
find /home/USERNAME/public_html -type d -exec chmod 755 {} \;
chmod 600 /home/USERNAME/public_html/wp-config.php

Need Help?

If you’re a Prenhost customer and your wp-admin is returning a 403 Forbidden error, open a support ticket and share your domain. Our team can diagnose which layer is blocking you and apply the fix within minutes — including running the bulk scan on your server if you manage multiple WordPress sites.

Tags: WordPress

Recent Posts

  • Fixing the “cannot install both ea-profiles-cpanel” Conflict on CloudLinux 8 / WHM
  • How to Fix WordPress wp-admin 403 Forbidden Error on LiteSpeed + cPanel Servers
  • BDIX Hosting Reseller Bangladesh | Start Your Hosting Business | PrenHost
  • Improving WordPress Security by Blocking XML-RPC on Shared Hosting
  • How to Skip the WHM Initial Setup Wizard When Stuck After upcp

Recent Comments

No comments to show.
Suite 10 Capital House, 61 Amhurst Road, London, E8 1LL, United Kingdom,

Company number 15697833

Payment Method
Company
  • About Us
  • News Feed
  • Affiliate Program
  • Knowledgebase
  • Client Area
  • Get in touch
Hosting
  • Singapore Hosting
  • BDIX Shared Hosting
  • WordPress Hosting
  • Cheap Hosting
  • USA Survey RDP
  • Cheap BDIX VPS
Software Hosting
  • OpenCart Hosting
  • Magento Hosting
  • LiteCart Hosting
  • PrestaShop Hosting
  • Moodle Hosting
  • POS Hosting
Join Our Newsletter

We’ll send you news and offers.

Social Media
Facebook-f Linkedin X-twitter Whatsapp

Copyright © 2018 - 2026 PrenHost. All Rights Reserved

Report Abuse/Spam | Terms of Services | Refund Policy | Privacy Policy | Server Status