admin-ajax.php 403 Error on Wordpress

Joined
May 21, 2015
Messages
20
Likes
16
Degree
0
Don't know if this is the right place for this question...

I'm trying to update the settings on my theme but I'm getting a 403 error on the admin-ajax.php path so I get an infinite spinning loading bar.

I tried researching this issue and it appears to be a problem with caching but even when I deactivate the WP Super Cache plugin and clear browser cache and reload it doesn't fix the issue. Could this be a problem with my host? Or maybe Cloudflare? I tried purging the cache from on there too and have a page rule to ignore wp-admin but it's the same thing.
 
My first inclination is that you have something restricting what IP addresses can use the site or backend. Is this the case?

I wrapped up work and am chilling so I Google'd this issue in general.

I know you disabled the cache, but with Cloudflare and a local cache I'd not rule out that there's still an issue related to caching. I saw some info saying that if you have your cache set to not expire for too long, like every 2 or 3 days versus 10 hours then you can get problems with this.

It's related to the Nonce (number used once) system in Wordpress. The nonce lifetime seems to be 12 hours. Caching set equal to or beyond 12 hours could be related. You could drop that to 10 hours or so to make sure you're not caching for too long.

I wouldn't think any caching would be hitting the backend but who knows. Worth a shot.

I'm seeing that WordFence's firewall can throw a false positive on admin-ajax.php. Are you using WordFence?

Someone mentioned mod_security too as a potential cause but gave no explanation.

Another thing to question: Did this start all by itself or after you made some change?
 
1. Not restricting any IP addresses (as far as I know).

2. Not using WordFence.

3. This started by itself. I pretty much never tinker with the theme or plugins because I already have everything optimized. Last time I changed settings was Nov 2018. I updated the theme to a newer version in Dec but haven't played with anything to see if it was a problem back then.

I'm going to try disabling Cloudflare completely and point the nameservers to my host.

I will report back if that fixes it.
 
Okay I finally managed to solve the issue! Hope this helps anyone with the same problem in the future.

Decreasing cache time and moving off Cloudflare didn't do anything. After asking my host, they recommended I log into Cpanel and disable Modsecurity (as Ryuzaki actually mentioned in his post). Not sure why that worked but it did.

As a follow up question... Should I leave Modsecurity disabled? Does that compromise site security?
 
Mod_security is basically a big bunch of regex rules Apache checks incoming request payloads against. It's not uncommon to get false positives. Depending on how configurable your host is, you should be able to keep it on but disable the specific rule that's causing issues.
 
Back