Custom Theme produces 403 Error

mikehenden · 2026-02-17T00:59:20+0000

Forums / Custom Theme produces 403 Error Custom Theme produces 403 Error mikehenden · Member · Feb 17, 2026 at 12:59 am Copy link Add topic to favorites OK, I have a WordPress site theme I made a few years back (actually it was for the first WordPress site I built). Used Underscores as the basis and customised to suit. Loaded theme no problems and site has been running happily. So far so good… The business was re-sold late last year. This month the new owner comes to me with a list of changes, including THEME CHANGES (not all of which I agreed with but hey, he’s the client!) So I thought, rather than butcher my existing theme, I’d make a copy and switch over to that theme. Easy, right? I made copy, made the necessary edits and tested theme in my local environment. No issues. Zip them and upload to my live site. Here we go… Except I can’t use my new theme in the LIVE site because of a 403 Error. If I switch server security off (ModSecurity) the theme loads and works. But if security is on (which is obviously prefereable) it don’t. I’ve generated the following log file, which I’m struggling to decipher. Anybody out there who can assist with translation? ModSecurity: Access denied with code 403 (phase 4). Match of “rx (?:\\b(?:gif|(?:cws|f(?:lv|ws)|i(?:d3|hdr|nterplay)|m(?:ovi|thd)|r(?:ar\\!|iff)|varg|(?:ex|jf)if)\\b)|B(?:%pdf|\\.ra)\\b)” against “RESPONSE_BODY” required. [file “/etc/httpd/conf/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf”] [line “20”] [id “214630”] [rev “1”] [msg “COMODO WAF: PHP source code leakage||mywebsite.co.nz|F|3”] [data “Matched Data: <? found within RESPONSE_BODY: <!doctype html>\x0a<html dir=\x22ltr\x22 lang=\x22en-NZ\x22 prefix=\x22og: https://ogp.me/ns#\x22>\x0a<head>\x0a\x09<meta charset=\x22UTF-8\x22>\x0a\x09<meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22>\x0a\x09<link rel=\x22profile\x22 href=\x22https://gmpg.org/xfn/11\x22>\x0a\x0a\x09<title>My Website \xe2\x80\x93 My Website Tagline</title>\x0a\x0a\x09\x09 <!– All in One SEO 4.9.3 – aioseo.com –>\x0a\x09<meta name=\x22desc…”] [severity “ERROR”] [tag “CWAF”] [tag “FilterPHP”] [hostname “mywebsite.co.nz”] [uri “/index.php”] [unique_id “aZOy8uLUci-43wTYa01coQAAAVU”], referer: https://mywebsite.co.nz/wp-admin/customize.php?theme=mywebsite2026&return=https%3A%2F%2Fmywebsite.co.nz%2Fwp-admin%2Fthemes.php mukeshoadcom · Member · Feb 17, 2026 at 7:06 am Copy link This isn’t really a theme failure, it’s a ModSecurity false positive. The log shows rule 214630 – “PHP source code leakage”. That rule is triggered because the firewall detects <? in the HTML response. When ModSecurity thinks raw PHP code is being output to the browser, it blocks the request with a 403. Since the theme works when ModSecurity is disabled, the issue is most likely inside the theme files. Check if any template is using short PHP tags like <? instead of <?php. Also make sure the PHP files are saved as UTF-8 without BOM and that there’s no stray output before or after PHP tags, especially in header.php, functions.php, or index.php. If everything looks correct, ask the host to temporarily disable ModSecurity rule 214630 for the domain to confirm it’s just a false positive. This is a common issue with custom themes and strict WAF rules. staartmees · Member · Feb 17, 2026 at 7:09 am Copy link We can’t help as that site isn’t running on the wordpress.com platform nor can we help with third party themes. Modsecurity is blocking access and I don’t think your hosting provider will allow you access. mikehenden ·…

mikehenden · Member · Feb 17, 2026 at 12:59 am
Copy link

Add topic to favorites
OK, I have a WordPress site theme I made a few years back (actually it was for the first WordPress site I built). Used Underscores as the basis and customised to suit. Loaded theme no problems and site has been running happily. So far so good…

The business was re-sold late last year. This month the new owner comes to me with a list of changes, including THEME CHANGES (not all of which I agreed with but hey, he’s the client!)

So I thought, rather than butcher my existing theme, I’d make a copy and switch over to that theme. Easy, right? I made copy, made the necessary edits and tested theme in my local environment. No issues. Zip them and upload to my live site. Here we go…

Except I can’t use my new theme in the LIVE site because of a 403 Error.

If I switch server security off (ModSecurity) the theme loads and works. But if security is on (which is obviously prefereable) it don’t.

I’ve generated the following log file, which I’m struggling to decipher. Anybody out there who can assist with translation?

ModSecurity: Access denied with code 403 (phase 4).

Match of “rx (?:\\b(?:gif|(?:cws|f(?:lv|ws)|i(?:d3|hdr|nterplay)|m(?:ovi|thd)|r(?:ar\\!|iff)|varg|(?:ex|jf)if)\\b)|B(?:%pdf|\\.ra)\\b)” against “RESPONSE_BODY” required. [file “/etc/httpd/conf/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf”] [line “20”] [id “214630”] [rev “1”]

[msg “COMODO WAF: PHP source code leakage||mywebsite.co.nz|F|3”] [data “Matched Data: <? found within RESPONSE_BODY:

<!doctype html>\x0a<html dir=\x22ltr\x22 lang=\x22en-NZ\x22 prefix=\x22og: https://ogp.me/ns#\x22>\x0a<head>\x0a\x09<meta charset=\x22UTF-8\x22>\x0a\x09<meta name=\x22viewport\x22 content=\x22width=device-width, initial-scale=1\x22>\x0a\x09<link rel=\x22profile\x22 href=\x22https://gmpg.org/xfn/11\x22>\x0a\x0a\x09<title>My Website \xe2\x80\x93 My Website Tagline</title>\x0a\x0a\x09\x09

<!– All in One SEO 4.9.3 – aioseo.com –>\x0a\x09<meta name=\x22desc…”] [severity “ERROR”] [tag “CWAF”] [tag “FilterPHP”] [hostname “mywebsite.co.nz”] [uri “/index.php”] [unique_id “aZOy8uLUci-43wTYa01coQAAAVU”], referer: https://mywebsite.co.nz/wp-admin/customize.php?theme=mywebsite2026&return=https%3A%2F%2Fmywebsite.co.nz%2Fwp-admin%2Fthemes.php
mukeshoadcom · Member · Feb 17, 2026 at 7:06 am
Copy link
This isn’t really a theme failure, it’s a ModSecurity false positive.

The log shows rule 214630 – “PHP source code leakage”. That rule is triggered because the firewall detects <? in the HTML response. When ModSecurity thinks raw PHP code is being output to the browser, it blocks the request with a 403.

Since the theme works when ModSecurity is disabled, the issue is most likely inside the theme files. Check if any template is using short PHP tags like <? instead of <?php. Also make sure the PHP files are saved as UTF-8 without BOM and that there’s no stray output before or after PHP tags, especially in header.php, functions.php, or index.php.

If everything looks correct, ask the host to temporarily disable ModSecurity rule 214630 for the domain to confirm it’s just a false positive. This is a common issue with custom themes and strict WAF rules.
staartmees · Member · Feb 17, 2026 at 7:09 am
Copy link
We can’t help as that site isn’t running on the wordpress.com platform nor can we help with third party themes.

Modsecurity is blocking access and I don’t think your hosting provider will allow you access.
mikehenden · Member · Feb 18, 2026 at 12:01 am
Copy link
Thanks for your clear explanation mukeshoadcom, I’ve made an exception to this error for now, and will review my theme code!

Custom Theme produces 403 Error

Couldn't find what you needed?

Contact us

Browse our guides

Mobile Apps

Social Media