WordPress Website shows 403 error when accessing wp-admin/ajax.php page from front end

Question

I am running a WordPress on an Azure Web app connecting to a MySQL server on a different Windows server. When loading the mentioned page in Chrome, it shows 2 popups 403 & Forbidden. Checking the console throws this error - ecbcc.js:2 POST /wp-admin/admin-ajax.php 403 (Forbidden)

This works fine on FireFox & IE but not on Chrome. Any ideas why?

Answer 1

guys. I tried everything (cleared browser cache, deleted htaccess-broke the site, expanded WP_limit and PHP ini) but still nothing worked.

What worked for me is this - I disabled ModSecurity on my Cpanel for the website affected and this resolved the Elementor server error 403 issue. I would enable it back after I have made all my updates.

I hope there is a more permanent solution.

Regards!

Answer 2

I also faced this issue when using Woocommerce Bookings - I was seeing the following error when trying to make a booking on the front end.

"We weren't able to get that information. Please contact the store owner for help."

Interestingly, I was unable to find anything on Google with that error text, so recording it here for safe keeping - in case anyone else has the same issue!

What was also weird is that I didn't see this error when logged in - only when using the site as a visitor in the incognito browser.

When I discovered that issue, I tried many things, turned off all the plugins, switched themes etc - nothing worked. Then using dev tools I could see an error: "wp-admin/admin-ajax.php 403"

I turned off Cloudflare, then cleared caches and went through the Apache server file system to ensure old caches were purged.

I also removed any custom page rules in CF, just to be sure (I did have a restriction on xmlrpc.php set up in there and that might have been the culprit).

I checked all error logs without luck, then reinstalled software.

I also cleared the browser cache and tried in incognito but had no luck.

I came across this thread and it was helpful.

Finally after deleting htaccess and some "stuck" cookies, it seemed to work. It's a nasty sticky JS bug hard to find!

Answer 3

This error can appear for more than one reason. Except for the accepted answer, if you are using a shared hosting solution as a server then it would be best to contact the support of the service. Also if you use Plesk or Cpanel you can check the server logs to see if there is any false positive rule that from mod_security that catches the error. Then you can find the error that could look something like that:

ModSecurity: Warning. Match of "test file" against "REQUEST_FILENAME" required. [file "/etc/httpd/conf/modsecurity.d/rules/custom/006_i360_4_custom.conf"] [line "264"] [id "77140992"]

You can apply the ID on your firewall exclusion list (if this is provided by your hosting service) and then the server will not block the request anymore.

IMPORTANT: If you are not sure what you are doing, ask your hosting provider for support. Experimenting on live servers/sites is not the best option and I would strongly recommend avoiding it.

Answer 4

I faced the same issue but it took a long time for me to fix it. Because my solution was not caused by common things like cache, .htaccess, files permissions, etc. I apply all the possible solutions as described here. When nothing worked for me, then I talked with my hosting provider and the issue was on their side. Actually, the server has black-listed my IP.

Below is the reply from the support of my hosting provider:

After checking it, it looks like the issue is caused by trigger ModSecurity rules.

ModSecurity is an Apache module that works as a web application firewall. It blocks known exploits and provides protection from a range of attacks against web applications. However, sometimes, mod_security may incorrectly determine that a certain request is malicious, while it is actually legitimate. In such a situation, we can whitelist the triggered mod_security rule on the server, so that you can bypass the block.

In order to properly investigate, we need you to share your IP address with us. You can copy it from here: https://ip.web-hosting.com/

Looking forward to your response.

Answer 5

This is because of your cache. Minified version of JS is causing the issue in chrome browser. Check or purge the cache and check for the permissions applied to cached files as well.