Hide Document Parts:
   Digital Media
QR Code
Output Options:
Print Document
Download PDF

Ultimate Member Plugin 403 Forbidden Error

This post is dedicated to a simple but tricky gotcha in the WordPress plugin Ultimate Member. For those of you who may be unfamiliar with Ultimate Member it is a plugin that adds enhanced user account management abilities to your WordPress site. Put simply the plugin allows you to:

  • Strengthen security on the site by adding Google reCaptcha to key points (Free Extension).
  • Strengthen security by keeping users off the back end and on nice account and profile pages.
  • Make it easier to extend WordPress’s bland user accounts to more detailed and engaging accounts.

The list really could go on and on but suffice it to say that Ultimate Member adds a lot of free functionality to your WordPress site. If you manage a big WordPress site the paid extensions can take your site even further; I’m being serious, this is not a paid post, I really love what Ultimate Member is doing for WordPress.


For Ultimate Member to really work you need to let it create and then use several pages. At the very least you’ll need the Account, User, Login, Logout, and Register pages but you also get a Member directory and Reset Password page as well. You can delete all of these pages as long as you go through the trouble of creating your own and putting in the correct shortcodes; hopefully you copied them from the pre-generated pages if you choose to go the custom route, if not you’ll need to look them up in the plugins documentation.

At this point you should navigate to every one of these pages and insure they load. Assuming they all did you may be tempted to move on to other tasks but do your due diligence at quality assurance and try creating a new account and logging in from another web browser! If your a victim of the gotcha and log out of your admin account now you’ll have to go into your server and rename the Ultimate Member plugin to be able to login again.

The Gotcha

If you received a 403 Forbidden or Access Denied message when you attempt to create a new user or to login to an already existing user account your server is most likely the culprit. Well the solution is simple the diagnosis can be tricky. First you need to change some things:

  1. Insure that your WordPress Membership is set to allow anyone to register. This setting is located under Settings > General > Membership in your dashboard.
  2. Deactivate any other membership or security plugins that could be conflicting with Ultimate Member.

If you made the two changes above and still get the 403 Forbidden or Access Denied your server is the culprit. How do I know that you might ask? Well because I did the hard work (tricky part) for you and scoured Ultimate Members documentation which at the time of this posting did not really tell me anything useful. Eventually though I was able to find this solution posted in response to a user on the support forum:

I think your host is blocking form submissions. Can you contact your host and ask them to disable mod_security and then test to see if registration works or not.

If your not familiar with mod_security it’s an web application firewall that can be used by a variety of servers. In short it’s a software firewall that primarily focuses on monitoring HTTP traffic. Well I prefer to stay out of the debate on whether you should or should not use mod_security I will say for this site I’ve chosen to keep it on.

The Solution

You only have two options with this gotcha:

  1. Disable mod_security totally which can be done for the whole server or by domain. (Not Recommended)
  2. Add exceptions to your mod_security that allow the Login, Register, and Account pages through. Since your WordPress site is different you’ll need to gather the correct URL’s yourself.

If your hosting on a shared server usually option 2 is your only choice. When you contact your host you’ll need to give them the URL’s for the Login, Register, and Account (not profile) pages. Ask them to add the URL’s to mod_security’s white-list.

Comments are currently disabled. Please check back later.