whm/cpanel + wordpress = incorrect error status codes

Answered

MHFraser

• December 17, 2025 08:21

Hi everyone,

I've encountered this problem a couple of different ways now and it's starting to bug me. 

Part of the default wmh/cpanel apache config is defining Error Documents for just about every code 

Include "/etc/apache2/conf.d/includes/errordocument.conf"

these look like

# 403 - Forbidden

ErrorDocument 403 /403.shtml

When an account is created or an add-on domain added, these error documents are not created, so when a 403 error occurs (say through ModSecurity), the client/bot gets a 403 response with the good old

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

so a 403 and a 404 but hey at least the 403 actually makes it to the client.

Now wordpress enters the scene:

• ModSecurity issues a 403
• Apache looks for /403.shtml
• .htaccess rewrite rule gets triggered (!-f) and redirected to Wordpress

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

• wordpress looks for a route "403.shtml" 
• it'll either do the (expensive/pretty) 404 page, or redirect to a real page (301 -> 200) 

so the 403 is instead a 404 or worse 301 => 200 (!) 

I looked at the "Error Pages" function in cpanel for clarity "Basic error pages are automatically provided by the web server (Apache). However, if you prefer, you can create a custom error page for any valid HTTP status code beginning in 4 or 5." 

No thats not the behaviour I am seeing. No error document is being provided, apache error pages are themselves erroring unless one is created.

Am I missing something? why doesnt the ErrorDocument configuration point to an actual error document out of the box? 

Sure I can copy all the error documents into all the public_html's but is there something I can do to the apache config to fix this? I have 100's of accounts and looking for a global solution.

any suggestions welcome, thanks!

 

 

• 

  cPRex Jurassic Moderator

  • December 17, 2025 16:54

  Hey there!  We actually have an option for this in WHM >> Tweak Settings.  Currently it's the very last option in the list:

  "Copy default error documents to docroot for new accounts, addon domains, and subdomains"

  so I believe enabling that would resolve the issues you're seeing for all newly created accounts without manual work.

  You could always turn that on, create a new fake account, and then use those files to copy them over to other accounts.

  0
• 

  MHFraser

  • December 18, 2025 02:35

  Hi cPRex,

  thanks I'll try it.

  "When enabled, the system copies the default error documents to the document root directory when you create new accounts, addon domains, and subdomains. By copying the default error documents to the document root, this ensures that the global ErrorDocument configuration has the files it needs to prevent generating additional errors."

  out of interest why isn't this just on by default?

  0
• 

  cPRex Jurassic Moderator

  • December 18, 2025 03:46

  I think the most honest answer is "because this is relatively newer and people strongly dislike change" 

  0
• 

  MHFraser

  • December 18, 2025 06:01

  understand. FWIW I keep encountering this mitigating bots. wordpress wastes too many cpu cycles generating pretty 404 pages for bots 

  0
• 

  MHFraser

  • December 28, 2025 04:43
  • Edited

  followup for any future readers in the same boat.

  I ended up commenting out the ErrorDocument for a handful of codes I'm using in the included "/etc/apache2/conf.d/includes/errordocument.conf" file. 

   

  Effectively these codes are 'system reserved' and cant have custom errordocuments by users. Not a big deal. no user has customised an error document anyway.

  0
• 

  cPRex Jurassic Moderator

  • December 29, 2025 16:46

  I'm glad you came up with a good workaround!

  0

Please sign in to leave a comment.