WS Form uses the WordPress REST API for saving changes made to your forms, as well as other functions such as form submissions. This is the same API that is used by the WordPress admin and many other popular plugins.
If you get a 403 Forbidden error when editing or using a form, it means that you do not have permission to perform that API request. This is often due to a security misconfiguration on your server.
Here are some things you can check:
Use X-HTTP-Method-Override for API Requests
Some web servers do not allow common RESTful request methods such a PUT and DELETE. To force WS Form to not use these methods:
- Click on ‘Settings’ in the WS Form menu (in the main WordPress admin menu).
- Click on the ‘Advanced’ tab.
- Under ‘API’, enable the ‘Use X-HTTP-Method-Override for API Requests’ setting.
- Click ‘Save Changes’.
Check if you have mod_security running on your server. mod_security is an open-source web-based firewall application supported by different web servers. LiteSpeed web server, for example, has mod_security enabled by default.
WS Form has been tested with the following mod_security rulesets:
An incorrectly configured mod_security application can cause WS Form and other popular plugins to not work correctly.
403 forbidden errors can be caused by mod_security mistaking API requests made by WS Form as potential threats. In fact, even saving posts or pages containing certain words can trigger mod_security to prevent that request.
If you experience this we would recommend discussing this issue with your hosting provider and asking them to reconfigure mod_security such that it is not misinterpreting requests as threats. Whitelisting your own IP is one option.
Another option is to whitelist requests made by WS Form. All of our API requests contain the following base path:
If reconfiguration is not an option, you also have the option of disabling mod_security by adding the following code to your .htaccess file. Do so at your own risk. This syntax may vary depending on the web server that your hosting provider uses.
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
More information on Stack Overflow.
A misconfigured firewall can also cause WordPress API calls to fail and result in a 403 error. Check with your firewall software provider to confirm it is correctly configured.
For further assistance, please contact your hosting provider.