Support » Fixing WordPress » 403 page not working

  • I’m trying to create a friendly 403 error page in case a visitor comes across a page that is a, well, 403. Like /wp-includes.

    I would have thought that it works like 404.php, but it doesn’t. I still get the ugly plain vanilla 403 message from Apache. So I added this to the htaccess file:

    ErrorDocument 403 /index.php?error=403
    (as per this documentation)

    Now when I go to /wp-includes, I get the (themed) 404 page, instead of the 403.

    All I did was add that line to the htaccess and created a 403.php file in my theme.

    What else should I do to get this working?

Viewing 11 replies - 1 through 11 (of 11 total)
  • Add the following to .htaccess file
    ErrorDocument 403

    WordPress is only set up to handle 404 errors through index.php?error=404. It won’t know what to do with index.php?error=403 or any other given error code.

    To use that rule you have to specify the complete path to a custom file you want shown. So, if you make an html/php file for this error you can then point to it with that rule. For example, if you make a 403.html file and place it in the root of your site, you can use this to have it shown when a 403 occurs:

    ErrorDocument 403 /403.html

    Actually I want it to show my normal layout, so I’m not going to make a static 403.html. But when I point ErrorDocument directoly to the 403.php, I get this error:

    Warning: main(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Paris' for '2.0/DST' instead in D:\Inetpub\wwwroot\Home\wp-content\themes\thany\403.php on line 1 Fatal error: Call to undefined function get_header() in D:\Inetpub\wwwroot\Home\wp-content\themes\thany\403.php on line 1

    It’s understandable that it gives an error, because WordPress is supposed to handle template files. So the question remains how to solve this.

    A static html-page is not done. A free-standing php is also not going to work since I need WP-functionality in my 403.

    You can specify a url as well:

    ErrorDocument 403

    You can set it to the url of page you make in WordPress. If you need to seriously customize that page, you could make a template for it.

    You mean a page as in a Page? 🙂

    That would help, especially if it were possible to assign a template to that Page other than page.php?

    But in any case, don’t we have to put a proper 403 template in WP just like there’s a 404 template? After all, WP does include regions where a 403 is thrown by default, so I think it’s a disspointing that 404 is handled by WP and 403 is not. Hoping for this in the next version.

    Or maybe it would be possible to implement proper 403-templates in a plugin of some sort, without it breaking in an upgrade?

    Yup, a WordPress page. Any valid URL really.

    Yes, you can create and assign a custom template to that page. The link I added in my previous post wasn’t exactly the best page to go over custom templates. This one’s better:

    WordPress handles 404’s because it has to. Generally, all front-end traffic goes through WordPress’ index.php, leaving WordPress itself to determine if the requested page/post/whatever exists. The server can’t properly handle 404’s since the requested URL’s don’t actually exist as files. All the other error codes, on the other hand, can (and should) be handled by the server.

    When you hit a 404, all that is really happening is WordPress is redirecting to the theme’s 404 template. If you use ErrorDocument with the URL of a page using a custom template, it’s essentially the same thing (except being triggered by the server instead of WordPress) with a different template.

    That’s what I needed to hear. I’ll look into it tonight. Thanks 🙂

    I still prefer a more elegant solution, though, but this’ll work until then 🙂

    Well, I played around with it, but it doesn’t seem to be working still…

    I created a page and assigned it a slug “403-access-denied”

    In the .htaccess I put this line:
    ErrorDocument 403 /403-access-denied

    And I get the 404 template, not the 403 Page.

    The 403 Page is accessible via /403-access-denied perfectly well. So, Big Bagel, while your explanation is thorough, it might not be completely correct… That, or I’m still missing something.

    Any help plz?

    If you use a local URL (/403-access-denied) I believe it does an internal redirect, which keeps the URL as rather than the proper WordPress, not having the page, throws up a 404. Using a full URL to force an external redirect should work; just tested it. 🙂

    ErrorDocument 403

    You should also make sure to add the proper 403 header to the custom template you use for that page. If you don’t, the final page will actually return a “302 Found” instead of the proper “403 Forbidden”. Something like this at the very top of the template (before any <!DOCTYPE> tag) should do it:

    header( "HTTP/1.1 403 Forbidden" );
    header ( "Status: 403 Forbidden" );

    It almost works 🙂

    My 403 Page is being served upon requestion forbidden content. As expected. But two things are still a bit sour, iyam:
    1) the url in address bar is replaced by the redirection url, so all context for the 403 is lost. It looks as if the 403 Page is forbidden all by itself.
    2) I can’t easily move this over to my production environment, which is (obviosuly) on another domain.

    On a sidenote: your remark about the 302 Found is not correct, it seems. If I omit the 403 headers, it returns a 200 OK instead of a 302.

    I don’t think you can keep the URL from changing while using a WordPress page. At least, everything I could think of to get the original URL in any way failed miserably when I tested it. If maintaining the URL is extremely important, you might have to live with a custom html/php file that’s not connected to WordPress. Or you could try loading WordPress in that custom php file. Since the purpose of hiding things behind a 403 is to keep them out of sight, I would think maintaining the URL isn’t needed in most cases. For a tiny bit of context, you could put some kind of message on your custom 403 page like:

    Whoa there buddy. You’re not allowed there. The server, in it’s infinite graciousness, has redirected you to this page instead of kicking you in the butt. If you think this is an error…blahblahblah.

    As for the second problem, couldn’t you edit the .htaccess file before uploading it to your production site? If you want to use a URL that’s not domain specific you could use something like:

    ErrorDocument 403 /index.php?p=72

    Where “72” would be the page ID of your custom page. It’s still specific to a single WordPress install though.

    The initial request is responded to with a 302 which redirects the browser to your new page. The new page then sends a 200. You can check the initial response by using something like:

    It is true though, that it’s the final response (200 in this case) that really matters.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘403 page not working’ is closed to new replies.