How to Fix 403 Forbidden and 500 Internal Server Errors in cPanel

by

Few things are more frustrating than opening your website only to see a blank page with “403 Forbidden” or “500 Internal Server Error.” These errors can stop your business cold — visitors can’t reach you, emails may fail, and if you’re running an ecommerce site, every minute of downtime costs revenue. The good news is that most 403 and 500 errors in cPanel are fixable without needing to contact your hosting provider.

In this guide, we’ll walk through the most common causes of 403 Forbidden and 500 Internal Server errors on cPanel-based hosting, and show you exactly how to diagnose and resolve each one. Whether you’re a site owner or a sysadmin, these troubleshooting steps will get your site back online quickly.

What These Error Codes Actually Mean

Before diving into fixes, it helps to understand what each error is telling you:

  • 403 Forbidden — The server understood your request but refuses to authorize it. This typically means a permissions issue, a security rule blocking access, or an IP-based restriction.
  • 500 Internal Server Error — A generic server-side error. The server encountered an unexpected condition that prevented it from fulfilling the request. Unlike a 403, a 500 can have dozens of possible root causes, from a corrupt .htaccess file to a PHP memory limit being exceeded.

cPanel provides several tools to help you track down the source of both errors — you just need to know where to look.

Diagnosing the Cause Using cPanel Tools

1. Check the Error Log in cPanel

The quickest way to diagnose a 500 error is by checking the cPanel error log directly:

  1. Log into your cPanel dashboard.
  2. Scroll down to the Metrics section and click Errors or Error Log (on some themes, it’s under “Logs”).
  3. Review the most recent entries. Each entry includes a timestamp, error type, file path, and error description.
  4. Look for lines containing PHP Fatal error, mod_security, or permission denied — these are your most actionable clues.

For 403 errors, also check Raw Access Logs under the Metrics section, which records the HTTP status code returned for every request.

2. Enable Detailed Error Display (Temporarily)

If the error log isn’t helpful, you can configure PHP to display errors directly on the page. Only do this on a staging or development site — never on a live production site, as it can expose sensitive information to visitors.

  1. In cPanel, go to Select PHP Version under the Software section.
  2. Click the Switch to PHP Options tab.
  3. Toggle display_errors to On and set error_reporting to E_ALL.
  4. Visit the page that was throwing the error. The exact error message, file, and line number will now be displayed in the browser.
  5. Once you’ve identified and fixed the issue, revert these settings immediately.

How to Fix 403 Forbidden Errors in cPanel

Fix File and Directory Permissions

Incorrect file permissions are the most common cause of 403 errors in cPanel. Files must be readable by the web server, and directories must be executable. The correct permission scheme is:

  • Directories: 755 (rwxr-xr-x)
  • Files: 644 (rw-r–r–)
  • Configuration files (wp-config.php, .env): 600 or 640

Fix Permissions Using cPanel File Manager

  1. Open File Manager from your cPanel dashboard.
  2. Navigate to your site’s document root (usually public_html).
  3. Select all files and folders by pressing Ctrl+A (Windows) or Cmd+A (Mac).
  4. Click Permissions at the top of the toolbar.
  5. Set numeric value to 755 for directories. You can also use the checkboxes: Owner (Read, Write, Execute), Group (Read, Execute), World (Read, Execute).
  6. Click Change Permissions. Repeat the process for individual files with 644.

Check for an Invalid .htaccess File

A corrupted or misconfigured .htaccess file is another frequent cause of 403 errors. To test this:

  1. In File Manager, locate the .htaccess file in your site’s document root. If you don’t see it, click Settings at the top right and enable Show Hidden Files (dotfiles).
  2. Rename it to .htaccess_backup to disable it temporarily.
  3. Try accessing your site again. If the 403 error goes away, your .htaccess file was the culprit.
  4. If you’re using WordPress, you can generate a fresh default .htaccess by going to Settings → Permalinks in your WordPress admin and clicking Save Changes.

Review ModSecurity Rules

cPanel often includes ModSecurity (a web application firewall), and overly aggressive rules can produce false positive 403 errors. To check:

  1. In cPanel, go to Security → ModSecurity.
  2. If ModSecurity is enabled, try Disable it temporarily and retest your site.
  3. If disabling it resolves the error, re-enable it and contact your hosting provider to whitelist the specific rule that was triggered (you can find the rule ID in the error log).

How to Fix 500 Internal Server Errors in cPanel

1. Rename or Remove the .htaccess File

As with 403 errors, a corrupt .htaccess is often the simplest explanation for a 500 error. Follow the same steps above: rename .htaccess to .htaccess_backup and check if the error clears. This single step resolves roughly 30–40% of all 500 errors encountered on shared hosting environments.

2. Increase the PHP Memory Limit

PHP scripts that exceed the allocated memory limit will trigger a 500 error. This is especially common with WordPress sites running memory-intensive plugins, large page builders, or ecommerce platforms like WooCommerce.

  1. In cPanel, open Select PHP Version under the Software section.
  2. Click the Switch to PHP Options tab.
  3. Find memory_limit and increase it. A typical starting value is 256M; for larger sites, 512M may be needed.
  4. Click Apply and retest your site.

3. Check for Plugin or Theme Conflicts (WordPress)

If you’re running WordPress, a faulty plugin or theme is one of the most common triggers for 500 errors. To rule this out:

  1. Rename the wp-content/plugins folder to wp-content/plugins_disabled via File Manager. This deactivates all plugins at once.
  2. If the error disappears, rename it back, then re-enable plugins one by one until the error returns — that identifies the culprit.
  3. Temporarily switch to a default WordPress theme (like Twenty Twenty-Four) by renaming your active theme’s folder in wp-content/themes. If the 500 error clears, your theme is the problem.

4. Check for Corrupted .htaccess Rewrite Rules

WordPress and many CMS platforms use mod_rewrite rules in .htaccess to generate clean URLs. If these rules become corrupted — often after moving a site, restoring from backup, or updating a plugin that modifies rewrite rules — a 500 error can result. The fix is the same as above: rename the .htaccess, navigate to WordPress Settings → Permalinks, and click Save Changes to regenerate a clean set of rewrite rules.

5. Verify Your Script’s Shebang Line (Perl/Python)

If you’re running custom scripts or CGI applications, a missing or incorrect shebang (#!/usr/bin/perl) line will produce a 500 error. Ensure the first line of your script points to the correct interpreter path — you can find the correct paths in cPanel under Software → CGI Center.

Key Takeaways

  • Start with the error logs. cPanel’s Error Log and Raw Access Logs give you the fastest path to the root cause for both 403 and 500 errors.
  • .htaccess is the #1 suspect. Rename it to test — this resolves a large percentage of both 403 and 500 errors instantly.
  • File permissions matter. Use 755 for directories and 644 for files. Never set anything above 755 on shared hosting.
  • ModSecurity can cause false 403s. Temporarily disable it to test, then work with your host to whitelist the specific rule.
  • For WordPress 500 errors, plugins and themes are the most common culprit. Disable all plugins at once by renaming the plugins folder, then re-enable one by one.
  • Keep detailed records. When you fix an error, note the cause and solution. If it recurs, you’ll have your fix ready instantly — and your hosting provider’s support team will thank you for the head start.