How to solve a 403 error when accessing Matomo from the Matomo for WordPress plugin
The Matomo for WordPress plugin installs the entire Matomo analytics platform within your WordPress plugin folder. However, some WordPress security plugins and hosting providers disable direct PHP access in the wp-content/plugins directory which can lead to 403 errors when attempting to use Matomo.
Blocking direct PHP access to the WordPress plugin folder is usually done as a security measure to protect against hidden backdoors. Unfortunately, it also prevents entirely legitimate PHP applications, such as Matomo for WordPress.
If you encounter this error, you need to either allow direct PHP access to the entire folder or to the Matomo directory. The specific method for doing this will depend on how access has been blocked. Therefore, the first thing you will need to do is establish the source of the block.
How to allow direct access to Matomo PHP files
If you are using a WordPress security plugin then you should check its settings page first as this is usually the simplest fix.
Enable Direct PHP Access via plugin settings
iThemes security plugin
iThemes Security (rebranding to Solid Security) is one plugin that may cause this error. You can follow the steps below to enable direct PHP access for Matomo for WordPress.
- Log in to your WordPress dashboard.
- Visit the Settings section within the Security menu.
- Click on the Advanced icon to open the System Tweaks tab.
- Uncheck the Disable PHP in plugins option.
- Click Save to confirm.
Other plugins
There are likely many plugins that offer similar functionality, such as Sucuri for example, and you can generally find an option to enable direct PHP access via their settings page.
Enable direct PHP access via your hosting account
Some hosts also offer a setting to block or unblock direct PHP access on your hosting account.
How to enable PHP access on Cloudways hosting
If you are using Cloudways hosting, then you can enable direct PHP access through your application settings panel.
- Log in to your Cloudways hosting dashboard and select your server. and select your Application.
- Click Application Settings and go to the General tab within the Application Management menu
- Scroll down and Toggle to enable the DIRECT PHP FILES ACCESS setting and click OK to confirm.
Other Hosts
There may be other hosts with similar settings that we are not aware of yet. If you are using another host, you can explore the settings pages of your hosting account to see if there are any options that relate to direct PHP access.
Enable direct PHP access via .htaccess
One popular method of blocking direct access to PHP files on Apache based web servers is through the use of .htaccess files. These are hidden files which can be placed within the directories on your hosting account. They contain URL rules which can set up things like redirects, password protection and also block access, as is the case here.
There are two common places you can check for .htaccess files when it comes to enabling direct access to Matomo for WordPress. Both of these locations will need to be explored via (S)FTP or your web host’s file explorer interface.
Important Note: Whenever editing or removing server configuration files, always make a backup first!
WordPress plugins directory .htaccess files
Visit your /wp-content/plugins/ folder to see if there is a .htaccess file. If you find one and it only contains the following text, you can simply delete it to allow direct access to all PHP files.
<Files *.php>
deny from all
<Files>
Home directory .htaccess files
Alternatively, you can update the .htaccess file in your website’s home folder to include the following code which will block direct execution of PHP files within the WordPress plugins folder, except the Matomo app.
<IfModule mod_expires.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST URI} ^.*wp-content/.*\.php$
RewriteCond %{REQUEST URI} !/matomo/app/
RewriteRule ^(.*)$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
You should be extra careful with .htaccess files in the home directory, as this is where WordPress defines how it manages links for the entire website. You can learn more about WordPress .htaccess files here.