Redirected to InfinityFree 403 Forbidden page

While working on your website, you may be redirected to the InfinityFree 403 error page. This article explains why this can happen, and what you can do to solve it.

The website directory is missing (or is in the wrong location)

Before checking your website, you should double check the directory on your account that your domain name is linked to.

By default, when you create a website with a certain domain name, that domain name will be linked to the folder named htdocs. Any additional domains added after that will be assigned their own directory. If you were to add the domain example.com to your account, it would be linked to a directory named example.com/htdocs.

Please note that if you delete the original domain name from your account and add it again, it will be handled as if it was an additional domain name. So removing and re-adding the domain may link the domain to a different directory!

You can view the directory that your domain is linked to by logging in to the client area, and go to Accounts → select your account → Domains.

If the directory of your domain name is missing or empty, then you will see a 403 Forbidden error. So please make sure that your website is uploaded to the right directory.

The directory does not contain an index file

If you try to request a URL without a file name in the URL (e.g. http://example.com/ or http://example.com/blog/), the server will look for a so-called index file.

An index file is a file with the name index.php, index.html, index.htm or index2.html in the folder you’re trying to access. By default, the server will look for files in that order. Regarding index files, please note the following:

• The server will look only for files in the specific directory being requested, not in subdirectories.
• Our servers are cAsE sEnSiTiVe, so calling the file Index.php or index.HTML will not work.

If no index file is found, you will be redirected to a 403 Forbidden page.

There are a few different ways to fix this:

• Upload an index file to the right location (recommended).
• You can create a file with the name .htaccess in the directory and add the line Options +Indexes. This will cause the server to show a list of files and directories instead.
• You can create a file with the name .htaccess in the directory and add the line DirectoryIndex yourFile.html index.php index.html index.htm, where yourFile.html is the name of the file that should be loaded.

The URL contains a blocked file or folder name

The “chat” keyword

Live chat scripts are not allowed on InfinityFree hosting. Chat scripts work by constantly refreshing the page in the background. These background refreshes generates excessive server load, which is why we cannot host them. You are free to use live chat on your website though, but you will have to use an externally hosted chat system to handle the messages.

To enforce this, the chat keyword is blocked on our servers. If you try to access any URL with chat in it, you’ll get a 403 Forbidden page. For example, http://example.com/chat.php, http://example.com/livechat/index.php will all result in a 403 error.

To fix this, you can rename the file or folder to anything else (like talk, message, conversation or whatever else you want).

Please do note that live chat scripts are banned completely, and being able to work around this block doesn’t mean it’s OK to host a live chat script with us.

The includes folder

For security reasons, all files in a folder includes are blocked. This includes URLs like http://example.com/includes/function.php or http://example.com/includes/pages/product.php.

The idea behind this is that includes means that the folder contains scripts meant to be loaded into other scripts with PHP include (or require). Scripts like that are generally not meant to be accessed directly.

The fix for this is simple: do not use the folder name includes for anything that’s supposed to be accessed by browser. Instead, put such pages in a folder pages, functions, actions or a folder with any other name.

Your site blocks access from your IP address

With .htaccess rules, it’s possible to selectively block or allow visitors based on their IP address. But using these rules, it’s also possible to lock yourself out of your site.

To do so, open a file manager or FTP connection to your site, go to the website folder and open the file .htaccess.

If there are lines starting with deny from or allow from in the file, it means IP access control is configured on your site.

If you do not want to do any IP level restriction, you can simply remove all these lines from your file.

If there is a line allow from all, you should look for any lines with deny from .... that contain your IP address.

If there is a line deny from all, then you should add a line with allow from .... that contains your IP address.

I should ask to clarify, and I hope that other people have this question as well to prevent my question from being self-centered:

Why do you block folders containing the words include/require? Is this for the safety regarding people who do not understand this principle well (the principle of include/require), preventing them from accidentally harming their website?

Or is there another reason behind blocking these folders that might otherwise cause problems to people or their website (or Infinityfree)?

Good question, but one I omitted for a reason.

The reason is that I didn’t block these URLs, but iFastNet did. And I don’t know for sure when or why they did this.

My guess, based on my experience with iFastNet and how they approach things, is that there was a security problem in some popular script or CMS which placed some shared code in the includes folder, which had security problems if these scripts were accessed directly. Like exposing sensitive data, or be used for spam. And to prevent this from being abused, the decision was made to block access to the files and folders that enabled these attacks.

But I didn’t include it in the article because it’s completely unverified.

You may also want to add that errors folder is also prohibited.

The “errors” folder does not lead to a 403 error though, so it does not belong in this article.

A post was split to a new topic: Verifying website on Yandex and Firefox leads to error 403

I just noticed that the block on files within the ‘includes’ folder is not working, or at least not how I expected it to work.

The includes folder
For security reasons, all files in a folder includes are blocked

I have a folder named includes in the htdocs folder. If I try to accesss the folder itself by typing devnotes.rf.gd/includes the server responds with a 403 forbidden message which is what I expected, however, if I type devnotes.rf.gd/includes/footer.php the browser renders:

page footer © Fishbite

FYI, the content of the footer.php file is simply:

    <footer><p>page footer &copy; Fishbite <?= $year ?></p></footer>
</body>
</html>

I expected to see the a 403 forbidden message again when I tried to access this footer.php file directly, or am I misunderstanding something?

That is intentional. “includes” is a reserved system name.

I don’t think that is what they meant. Fishbite understands that accessing inside of the “includes” directory directly through the browser leads to a 403 Forbidden error (or at least should):

However, they see

Instead of a 403 Forbidden. And oddly enough, I see it too:

image1366×685 12.5 KB

image1365×689 12 KB

Interesting finding indeed! Directly accessing devnotes.rf.gd/includes is expected if the directory doesn’t have an index file, which I assume it doesn’t have. But accessing any files in that directory used to not work.

It’s entirely possible that this was changed somehow. Maybe because the filters broke, maybe because they were no longer deemed relevant, or maybe because they have been tightened to only block specific paths within the includes folder to prevent issues to legitimate use cases.

Time will tell if we’ll ever get any support requests where this might play up.

And for people who were relying on the includes folder blocking direct access to their files, you can still replicate the old behavior by going to the includes directory, create a new file with the name .htaccess, and put the line Require all denied in it.