406 Error While Using Core WordPress Functionalities on GoDaddy

I had a client contact me a few days ago about a bizarre issue that I had never seen before.  Not only had I never experienced a 406 error when using WordPress, I had never even heard of a a 406 error.  Something new every day.

The 406 error was occurring when a user attempted to use/edit any of the WordPress core PHP files, specifically:


Basically, this file is referenced when updating posts/pages and — even more annoyingly — when using the “preview” function.  Essentially, if you run into this you can’t do anything.

A simple Google query of “wordpress 406 error” returns a pretty interesting catalogue of WordPress forum threads from anywhere between 2007-2014.   Variations of that query return pretty similar results.

All of the effective solutions came from users who mentioned bypassing mod_security. Even non-Wordpress websites who ran into this issue pretty much all had one common denominator:  GoDaddy.

This specific client runs WordPress on a standard Linux with cPanel configuration, so I contacted general hosting support.  Despite some terrible support from GoDaddy in the past, the woman who helped me in this situation was actually pretty fantastic.

I thought it was pretty odd that an issue for which the general consensus points to being a solely GoDaddy issue wasn’t on her radar, but whatever.  She pulled up some old documentation which instructed me to add the following command to .htaccess:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off

Apparently, you can’t directly bypass mod_security through .htaccess anymore, so back to the drawing board. A few threads has mentioned that only GoDaddy sysadmins can enforce or scale down these mod_security settings, so I requested a tech scale them back.

As it turns out, the mod_security settings are automatically scaled up when any suspicious files are detected on your dedicated server or install — whatever you’re working with.  Long story short, I requested the site be unflagged as having a security threat, reset all the passwords, and the issue was fixed.

Bottom line, if you’re seeing a 406 error on GoDaddy hosting, contact your hosting support and ask them to check if your site has been flagged.  If so, scan for any suspicious files/activity, take appropriate action, then make sure a sysadmin scales down the mod_security settings.

Hope this saves you the last 3-4 hours I spent figuring it out.


Leave a Reply

Your email address will not be published. Required fields are marked *