I had a client contact me a few days ago about a bizarre issue that I had never seen before. Not only had I never experienced a 406 error when using WordPress, I had never even heard of a a 406 error. Something new every day.
The 406 error was occurring when a user attempted to use/edit any of the WordPress core PHP files, specifically:
Basically, this file is referenced when updating posts/pages and — even more annoyingly — when using the “preview” function. Essentially, if you run into this you can’t do anything.
A simple Google query of “wordpress 406 error” returns a pretty interesting catalogue of WordPress forum threads from anywhere between 2007-2014. Variations of that query return pretty similar results.
All of the effective solutions came from users who mentioned bypassing
mod_security. Even non-Wordpress websites who ran into this issue pretty much all had one common denominator: GoDaddy.
This specific client runs WordPress on a standard Linux with cPanel configuration, so I contacted general hosting support. Despite some terrible support from GoDaddy in the past, the woman who helped me in this situation was actually pretty fantastic.
I thought it was pretty odd that an issue for which the general consensus points to being a solely GoDaddy issue wasn’t on her radar, but whatever. She pulled up some old documentation which instructed me to add the following command to
Apparently, you can’t directly bypass
.htaccess anymore, so back to the drawing board. A few threads has mentioned that only GoDaddy sysadmins can enforce or scale down these
mod_security settings, so I requested a tech scale them back.
As it turns out, the
mod_security settings are automatically scaled up when any suspicious files are detected on your dedicated server or install — whatever you’re working with. Long story short, I requested the site be unflagged as having a security threat, reset all the passwords, and the issue was fixed.
Bottom line, if you’re seeing a 406 error on GoDaddy hosting, contact your hosting support and ask them to check if your site has been flagged. If so, scan for any suspicious files/activity, take appropriate action, then make sure a sysadmin scales down the
Hope this saves you the last 3-4 hours I spent figuring it out.