Joomla 403 Forbidden (Front End or /administrator): How to Fix
Symptoms: 403 Forbidden on the front end or /administrator · 'You don't have permission to access this resource' · Back-end modals (article/menu pickers) throw 403 after upgrading to Joomla 4
Server-level error. A 403 is usually produced by your server, not Joomla, so fixes often involve your host. (This is different from a SEF URL 404.) Researched 2026-06-01.
A 403 Forbidden means the server refused the request. On Joomla sites the usual causes are:
Cause 1 — A ModSecurity (WAF) rule
The most common cause, especially for /administrator. A server firewall rule
(ModSecurity) flags a legitimate request and blocks it with a 403. A known case: after
upgrading to Joomla 4, back-end modals (the article/menu pickers) can throw
403/404 because ModSecurity blocks the URL pattern.
Fix: on shared hosting you usually can’t edit the rules — ask your host to whitelist the blocked Joomla request or adjust/disable the offending ModSecurity rule. Give them the exact URL that 403s (from your browser’s address bar / network tab).
Cause 2 — File & folder permissions
If files/folders have the wrong permissions, the server denies access.
Fix: files 644, folders 755, configuration.php 444 — never 777. Use
the chmod calculator.
Cause 3 — A bad or missing .htaccess rule
A Deny/Require directive (or a corrupted .htaccess) can 403 the whole site.
Fix: temporarily rename .htaccess to test (as with a
500 error); restore from Joomla’s shipped
htaccess.txt if needed.
Cause 4 — Host firewall / IP block
Some hosts block by IP, country or rate. Fix: ask your host whether your IP or a pattern is being blocked.
Related searches
joomla 403 forbidden administrator · joomla you don't have permission to access ·
joomla 4 modsecurity 403 backend · joomla 403 after upgrade