Mobile app version of
Login or Join

 query : How could I forcibly output the default 403-forbidden error page when is requested? This is my first question on StackExchange so bear with me, here is a brief breakdown


Posted in: #403Forbidden #Apache #Htaccess #Regex

This is my first question on StackExchange so bear with me, here is a brief breakdown of my current setup:

Two different domains, two different TLDs (.dk and .de) on the same hosting plan
for the sake of privacy, let's assume the domain names are "example website", i.e. and SSL set up on both domains
WordPress-driven, using WPML to serve the translated content accordingly

The problem is, I'm getting a crazy amount of hits (from countries like China, India, and Pakistan) for /not_found at the end of both domain names' URLs, in all possible formats:

secure, along with the www protocol (https://www.example....../not_found)
secure, without the www protocol (https://example....../not_found)
non-secure, along with the www protocol (http://www.example....../not_found)
non-secure, without the www protocol (http://eksemp....../not_found)

To me, this peculiar pattern looks most likely to be nothing more than vulnerability scan attempts, especially taking into account that the content on the sites is written in either Danish or German. Moreover, the websites are addressing to a specific Danish, or German target group, thus making it very unlikely for the websites to be worth a visit to the visitors from those Asian countries. Currently, the server's response is the 404-not found page provided by the WordPress theme that we're using, which in my opinion is not ideal because I would rather have them be denied access to that URL, even if it doesn't actually exist.

Long story cut short, I've been struggling over the past couple of days to figure out how to forcibly make the web server output the 403-forbidden page instead of the 404 one since the specified URL does not exist on the server.

I created a regular expression which I aim to use in the .htaccess file as a pattern that covers all the above-mentioned scenarios (4 for each domain name). The part of code that I placed in .htaccess goes as follows

# BEGIN /not_found blocking
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(https{0,1}://)(www.){0,1}(|{1}(/not_found){1}$
RewriteRule . - [R=403,NC]
# END /not_found blocking

but alas it doesn't work, as I'm still getting the 404-not found error page instead of 403 Access Forbidden. It must be my fault, but what's the reason?

Any help would be greatly appreciated. Thanks a lot!

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Miguel251


Sorted by latest first Latest Oldest Best



I use this htaccess code to remove certain words from URLs and redirect to the homepage. I modified it for your situation. I haven't tested this version but I think it should work. I'm not sure if something extra needs to be done for the underscore or not.

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)not_found(.*)$ [R=301,L]

You could just create the /not_found page and in php set the header status to 403

header('HTTP/1.0 403 Forbidden');

echo 'You are forbidden!';

10% popularity Vote Up Vote Down




RewriteCond %{REQUEST_URI} ^(https{0,1}://)(www.){0,1}(|{1}(/not_found){1}$
RewriteRule . - [R=403,NC]

You would seem to be way overcomplicating things here. The REQUEST_URI server variable contains the URL-path only, ie. /not-found. And this is all you appear to be concerned about. You don't need to check for the domain, www/non-www, HTTP/HTTPS, since you seem to want to match all variations anyway. Unless there are some other subdomains etc. that you don't want to catch? (But in that case, it might be simpler to match the exceptions, rather than the target?)

However, as @closetnoc suggested in comments, I would still return a simple "404 Not Found" for these requests - since that is what they are. By "simple", I mean the default Apache 404, so you fail early, rather than passing the request through WordPress, which is what is currently happening. So, all you need is something like the following before the WordPress front-controller:

# BLOCK /not_found
RewriteRule ^not_found$ - [R=404]

No need for the <IfModule> wrapper, RewriteEngine directive (since that is already included in the WP block), or RewriteCond directive. When you specify a status code other than 3xx then you don't need the L (last) flag either (it is implied).

You might want to include the NC (nocase) flag, if you are getting requests for /NoT_FounD and/or /NOT_FOUND etc., but otherwise this should be omitted.

Note that in .htaccess, the URL-path matched with the RewriteRule pattern, does not include the slash prefix. So, the pattern ^not_found$ matches just the URL /not_found.

As an academic excercise, if you did want to return a "403 Forbidden" instead of a 404, then you would change the above directive to read:

RewriteRule ^not_found$ - [F]

Again, no need for the L flag when using the F flag. Alternatively, you can write R=403 instead, but F is the preferred shortcut.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme