403 Forbidden Error Message

WS Form uses the WordPress REST API for saving changes made to your forms, as well as other functions such as form submissions. This is the same API that is used by the WordPress admin and many other popular plugins.

If you get a 403 Forbidden error when editing or using a form, it means that you do not have permission to perform that API request. This is often due to a security or page caching misconfiguration on your server.

Here are some things you can check:

Page Caching Misconfiguration

If you have page caching enabled and it is incorrectly configured it might cause form editing or submissions to fail. Systems that cache web pages such as Cloudflare, Cloudfront and also WordPress plugins that provide page caching can cause this error to occur if they are not configured correctly.

The reason for this may be a WordPress feature called a ‘NONCE‘ (Number used ONCE). A nonce is a unique code that is sent to your web server whenever your form talks to WordPress in the background. Their intended purpose is to ensure that data sent to your website is from a valid source and they helps prevent unauthorized access to your website.

WS Form and other popular plugins use this feature to secure your website.

For reference, the NONCE actions used by WS Form are:

  • wp_rest
  • wsf_post

Nonce values are valid for 12 hours, after which any subsequent use of that value will result in an error.

If the page cache timeout setting is set to a value that is too long, an expired nonce may continue appear in web pages and this will result in this error.

To ensure your WordPress website is able to handle nonce values properly, we recommend that any page caching is set to 10 hours OR LESS. In the majority of cases, a page cache duration of 1 hour or less is sufficient.

Please refer to your caching plugin, CDN or other caching mechanism about checking changing this setting.

For more information about nonces, please visit: https://developer.wordpress.org/plugins/security/nonces/

LiteSpeed

If your hosting is using LiteSpeed, please ensure that ESI (Edge Side Includes) is enabled.

mod_security

Check if you have mod_security running on your server. mod_security is an open-source web-based firewall application supported by different web servers. LiteSpeed web server, for example, has mod_security enabled by default.

WS Form has been tested with the following mod_security rulesets:

An incorrectly configured mod_security application can cause WS Form and other popular plugins to not work correctly.

403 forbidden errors can be caused by mod_security mistaking API requests made by WS Form as potential threats. In fact, even saving posts or pages containing certain words can trigger mod_security to prevent that request.

If you experience this we would recommend discussing this issue with your hosting provider and asking them to reconfigure mod_security such that it is not misinterpreting requests as threats. Whitelisting your own IP is one option.

Another option is to whitelist requests made by WS Form. All of our API requests contain the following base path:

/wp-json/ws-form/v1/

If reconfiguration is not an option, you also have the option of disabling mod_security by adding the following code to your .htaccess file. Do so at your own risk. This syntax may vary depending on the web server that your hosting provider uses.

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

More information on Stack Overflow.

Firewalls

A misconfigured firewall can also cause WordPress API calls to fail and result in a 403 error. Check with your firewall software provider to confirm it is correctly configured.

For further assistance, please contact your hosting provider.