Adding code to Thesis’ head section causes a 403 error

If you’re adding code to Thesis’ head section and get a 403 error, especially if you’re adding a link to a font or other resource, the problem may be related to the web application firewall protecting your site.

To check this out, as with most server-based errors, the first step is to check the log files on the server.

  • Log in to Plesk
  • Under “Websites and Domains”, click “Logs” for the domain
  • In the “Type” dropdown (the second from the left) un-check “access”. This will only show you errors and warnings.

In the logs you may see something that looks like the following:


ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:<LINK[\\\\s+/].{0,}?href[\\\\s+/]{0,}=)” at ARGS:thesis_html_head_scripts[thesis_html_head_scripts][scripts]. [file “/etc/httpd/conf/modsecurity.d/rules/comodo/07_XSS_XSS.conf”] [line “291”] [id “212980”] [rev “2”] [msg “COMODO WAF: IE XSS Filters – Attack Detected.


Aha! So ModSecurity is blocking the request. It thinks there’s a cross-site-scripting attack taking place, but the reality is that it doesn’t like the way that Thesis packages the head code when it’s being submitted to the server. Never fear, we can get around this problem easily enough.

  • Go back to the “Websites and Domains” view in Plesk.
  • Click on “Web Application Firewall”.
  • Under “Switch off security rules” paste the “ID” from the log (212980)
  • Click OK or Apply to save.

That’s it! You should now be able to save your head information and the server won’t worry about a XSS attack.

About Allen Pooley

Allen is a self professed geek and technology lover. He's always playing with one of his various websites, and loves helping customers with theirs. He can often be found with a coffee (light roast, please) in his hand and a smile on his face... or trapped under a pile of yarn.

Leave a Comment