The Matomo for WordPress plugin installs the entire Matomo analytics platform within your WordPress plugin folder. However, restrictions set by certain plugins may block query strings or PHP access that result in a 403 error.

Known plugin issues

All-in-One Security plugin
When the plugin settings are enabled for 6G Firewall and Block query strings, it will block tracking requests for websites that have vertical pipe characters (e.g. Reports | Risk Analysis) in the page titles. This issue may also occur with other types of characters.

How to allow direct access to Matomo PHP files

Blocking direct PHP access to the WordPress plugin folder is usually done as a security measure to protect against hidden backdoors. Unfortunately, it also prevents entirely legitimate PHP applications, such as Matomo for WordPress.

If you encounter this error, you need to either allow direct PHP access to the entire folder or to the Matomo directory. The specific method for doing this will depend on how access has been blocked. Therefore, the first thing you will need to do is establish the source of the block.

If you are using a WordPress security plugin then you should check its settings page first as this is usually the simplest fix.

Enable direct PHP access via plugin settings

iThemes security plugin

iThemes Settings Page

iThemes Security (rebranding to Solid Security) is one plugin that may cause this error. You can follow the steps below to enable direct PHP access for Matomo for WordPress.

  1. Log in to your WordPress dashboard.
  2. Visit the Settings section within the Security menu.
  3. Click on the Advanced icon to open the System Tweaks tab.
  4. Uncheck the Disable PHP in plugins option.
  5. Click Save to confirm.

Other plugins

There are likely many plugins that offer similar functionality, such as Sucuri for example, and you can generally find an option to enable direct PHP access via their settings page.

Enable direct PHP access via your hosting account

Some hosts also offer a setting to block or unblock direct PHP access on your hosting account.

How to enable PHP access on Cloudways hosting

If you are using Cloudways hosting, then you can enable direct PHP access through your application settings panel.

  1. Log in to your Cloudways hosting dashboard and select your server. and select your Application.
  2. Click Application Settings and go to the General tab within the Application Management menu
  3. Scroll down and Toggle to enable the DIRECT PHP FILES ACCESS setting and click OK to confirm.

Other Hosts

There may be other hosts with similar settings that we are not aware of yet. If you are using another host, you can explore the settings pages of your hosting account to see if there are any options that relate to direct PHP access.

Enable direct PHP access via .htaccess

One popular method of blocking direct access to PHP files on Apache based web servers is through the use of .htaccess files. These are hidden files which can be placed within the directories on your hosting account. They contain URL rules which can set up things like redirects, password protection and also block access, as is the case here.

There are two common places you can check for .htaccess files when it comes to enabling direct access to Matomo for WordPress. Both of these locations will need to be explored via (S)FTP or your web host’s file explorer interface.

Important Note: Whenever editing or removing server configuration files, always make a backup first!

WordPress plugins directory .htaccess files

Visit your /wp-content/plugins/ folder to see if there is a .htaccess file. If you find one and it only contains the following text, you can simply delete it to allow direct access to all PHP files.

<Files *.php>
deny from all
<Files>

Home directory .htaccess files

Alternatively, you can update the .htaccess file in your website’s home folder to include the following code which will block direct execution of PHP files within the WordPress plugins folder, except the Matomo app.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^.*wp-content/.*\.php$
RewriteCond %{REQUEST_URI} !/matomo/app/
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

You should be extra careful with .htaccess files in the home directory, as this is where WordPress defines how it manages links for the entire website. You can learn more about WordPress .htaccess files here.

Previous FAQ: How do I fix the GoDaddy 403 Error when using Matomo for WordPress?