Kualo / docs
On this page

Magento admin blocked by the web application firewall (403 or vague error)

A 403 error or silent failure when saving in Magento admin is often caused by the web application firewall blocking a legitimate request.

2 min read Updated 11 Jun 2026

If saving a product, CMS page or other admin change fails with a 403 error or a vague message, the web application firewall has most likely blocked the request before it reached Magento.

How to recognise the symptom

The failure shows up in one of these ways:

  • A 403 Forbidden page appears when you save.
  • A generic message such as "An error has occurred" appears, with no useful detail.
  • The page reloads but your changes have not been saved.

The key giveaway is that nothing appears in Magento's own logs (var/log/system.log or var/log/exception.log). Because the firewall blocked the request before it ever reached Magento, Magento has nothing to report.

Why it happens

All our servers run a web application firewall (ModSecurity, managed by Imunify360) that inspects every incoming request and blocks anything that resembles an attack. This protects your store around the clock, but very occasionally a legitimate Magento admin action can look suspicious enough to trigger a rule.

Common triggers include:

  • Saving a CMS page or block that contains raw HTML, JavaScript or an iframe.
  • Product descriptions with embedded HTML or third-party widgets.
  • Email template or layout XML edits.
  • Importing a CSV file that contains HTML in its fields.

The request is not actually malicious, but from the firewall's point of view a block of script being posted to a website is suspicious, so it errs on the side of caution.

What to do

Contact our support team rather than trying to work around it yourself. When you get in touch, please include:

  1. The date and time the block happened, as precisely as you can.
  2. What you were doing - for example, "saving a CMS page called Delivery Information".
  3. The IP address you were working from. You can find this by searching "what is my IP" in your browser.

With those details we can find the exact rule that triggered in the firewall logs and whitelist that specific rule for that specific part of your site. This is a safe, routine adjustment - the rest of the firewall's protection stays fully in place, and the rule itself remains active everywhere else.

What not to do

Do not strip the HTML from your content as a workaround, and do not ask us to disable the firewall for your account. Targeted whitelisting solves the problem permanently without weakening your store's protection.

It is also worth knowing that this is not a Magento bug. Upgrading Magento, reinstalling a module or clearing caches will not change anything. If the same action fails repeatedly with no trace in Magento's logs, the firewall is the most likely cause and we can help you confirm it quickly.

Was this helpful?
Your feedback helps us find gaps in the docs.
Related articles
Magento Troubleshooting
Debugging Magento 2 errors: log locations and how to read them
When your Magento store misbehaves, the cause is almost always written in a log file - her...
Magento Troubleshooting
Resolving Magento 2 OpenSearch/Elasticsearch errors causing broken search and category pages
Broken search results and blank category pages in Magento 2 are often caused by a lost con...
Magento Troubleshooting
Resolving Magento 500 admin errors and timeouts
Learn why Magento 2 throws 500 errors or times out during admin operations, and how to fix...
Magento Troubleshooting
Fixing 'Permission denied' errors when running Magento CLI commands
Learn how to resolve 'Permission denied' errors when running Magento CLI commands over SSH...
Still need a hand?
Real people, around the clock - start a chat or open a ticket and we'll help you put it right.
Contact us Start a chat