403 Forbidden Error Message

WS Form uses the WordPress REST API for saving and submitting forms. This is the same API that is used by the WordPress admin, blog commenting and many other popular plugins. It is the preferred choice for providing a secure method of posting data to a WordPress website.

If you get a 403 Forbidden error when editing or using a form, it means that you do not have permission to perform that API request. This may be due to a security issue or, more commonly, a page caching misconfiguration on your server.

Here are some things you can check:

Page Caching Misconfiguration

If you have page caching enabled and it is incorrectly configured it might cause form editing or submissions to fail. Systems that cache web pages such as Cloudflare, Cloudfront and also WordPress plugins that provide page caching can cause this error to occur if they are not configured correctly.

One possible reason for this may be a WordPress feature called a ‘NONCE‘ (Number used ONCE). A NONCE is a unique code that is sent to your web server whenever your form talks to WordPress in the background. Their intended purpose is to ensure that data sent to your website is from a valid source and they helps prevent unauthorized access to your website.

If the NONCE is cached for too long, it becomes stale and WordPress will issue a 403 error when a form is submitted. This is not a WS Form error. The error comes from WordPress when it receives the POST request from your form. Many modern plugins and WordPress features use NONCEs to protect websites.

Nonce values are valid for 12 hours, after which any subsequent use of that value will result in an error.

If the page cache timeout setting is set to a value that is too long, an expired NONCE may continue appear in web pages and this will result in this error when a form is saved or submitted.

To ensure your WordPress website is able to handle NONCE values properly, we recommend that any pages containing a form are cached for 10 hours OR LESS. In the majority of cases, a page cache duration of 1 hour or less is sufficient.

Please refer to your caching plugin, CDN or other caching mechanism about checking changing this setting. Ensure that both server-side and browser caching is correctly configured.

For reference, the NONCE actions used by WS Form are:

  • wp_rest
  • wsf_post

For more information about nonces, please visit: https://developer.wordpress.org/plugins/security/nonces/

LiteSpeed

If your hosting is using LiteSpeed, please ensure that ESI (Edge Side Includes) is enabled.

mod_security

Check if you have mod_security running on your server. mod_security is an open-source web-based firewall application supported by different web servers. LiteSpeed web server, for example, has mod_security enabled by default.

WS Form has been tested with the following mod_security rulesets:

An incorrectly configured mod_security application can cause WS Form and other popular plugins to not work correctly.

403 forbidden errors can be caused by mod_security mistaking API requests made by WS Form as potential threats. In fact, even saving posts or pages containing certain words can trigger mod_security to prevent that request.

If you experience this we would recommend discussing this issue with your hosting provider and asking them to reconfigure mod_security such that it is not misinterpreting requests as threats. Whitelisting your own IP is one option.

Another option is to whitelist requests made by WS Form. All of our API requests contain the following base path:

/wp-json/ws-form/v1/

If reconfiguration is not an option, you also have the option of disabling mod_security by adding the following code to your .htaccess file. Do so at your own risk. This syntax may vary depending on the web server that your hosting provider uses.

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

More information on Stack Overflow.

Firewalls

A misconfigured firewall can also cause WordPress API calls to fail and result in a 403 error. Check with your firewall software provider to confirm it is correctly configured.

For further assistance, please contact your hosting or cache provider.