WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Disable mod security (16 posts)

  1. djdavedawson
    Member
    Posted 5 years ago #

    Hello,

    I am having the select f r o m issue and I've tried disabling mod security using these htaccess commands:

    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>

    and

    <IfModule mod_security.c>
    SecFilterEngine off
    </IfModule>

    <IfModule mod_security2.c>
    SecFilterEngine off
    </IfModule>

    but none of them seem to work.

    Any ideas ?

    Thanks

  2. Samuel B
    moderator
    Posted 5 years ago #

    just

    SecFilterScanPOST Off

    or

    SecFilterEngine Off

    nothing else

  3. djdavedawson
    Member
    Posted 5 years ago #

    Does this go in the root .htaccess or in the wp-admin ?

  4. djdavedawson
    Member
    Posted 5 years ago #

    I tried in both and I am still getting 500 errors.

    Do I need to change anything in mod_security to allow these commands to work?

  5. Samuel B
    moderator
    Posted 5 years ago #

    that should go in .htaccess in root and work
    shouldn't need to change anything else

    are you positive this is the problem?

  6. djdavedawson
    Member
    Posted 5 years ago #

    It turns out I have mod_security 2 and ms2 does not support .htaccess overrides.

    More on that here:

    http://www.drak.net/news/2009/01/05/mod-security-override-no-longer-works/

    So I had to edit my whitelist.conf here:

    /usr/local/apache/conf/modsec2/whitelist.conf

    and I added

    <LocationMatch "/wp-admin/post.php">
    SecRuleRemoveById 300015 3000016 3000017
    </LocationMatch>

    <LocationMatch "/wp-admin/admin-ajax.php">
    SecRuleRemoveById 300015 3000016 3000017
    </LocationMatch>

    <LocationMatch "/wp-admin/page.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

    Now it works like I need it to.

    Hope that helps for someone

  7. Samuel B
    moderator
    Posted 5 years ago #

    thanks for that resolution - it's good to know
    can you resolve the topic for future searches?

  8. djdavedawson
    Member
    Posted 5 years ago #

    Here's an update ... I posted too many zeros in the one above.

    Here is what you need:

    <LocationMatch "/wp-admin/post.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

    <LocationMatch "/wp-admin/admin-ajax.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

    <LocationMatch "/wp-admin/page.php">
    SecRuleRemoveById 300015 300016 300017
    </LocationMatch>

  9. nissag
    Member
    Posted 4 years ago #

    Thanks SamBoll,

    Your fix worked for me.

    Nissa

  10. figaro
    Member
    Posted 4 years ago #

    @djdavedawson: Thanks a million...your solution cleared the problem I described below.

    http://wordpress.org/support/topic/285734?replies=7

  11. I've got 6 blogs on my server, all for different accounts and with the blogs in different places (/blog, /wp, etc etc). Is there anything special I need to do with the location match to make them all work?

  12. DP: I bit the bullet and put that in. Seems to be working (or at least no one's kvetched yet and everyone can still post).

  13. pcshost
    Member
    Posted 4 years ago #

    How did the fix actually work for others? The mod security ID's should be different unless everyone's running the same script. And there's no path I've seen in my server for a whitelist.conf. How does the httpd.conf know it's there?

  14. ciuly
    Member
    Posted 4 years ago #

    you need to "Include conf/path/to/whitelist.conf" in your modsecurity.conf file.
    the IDs represent the IDs of the rules. as a side note, I am a new user of modesecurity(MS) and from what I see in my modsec_audit.log none of those IDs appear there. though I did see some phpids-30 and -60 and such there.

    on other note, this is not working on WP 2.8.5 and MS 2.5.10 with core ruleset 2.0.2
    I am getting 403 forbidden when trying to post from admin panel. this really sucks if you ask me.

    I got my whitelist.conf file to look like this:

    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
    </LocationMatch>
    
    <LocationMatch "/wp-admin/admin-ajax.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
    </LocationMatch>
    
    <LocationMatch "/wp-admin/page.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
    </LocationMatch>
    
    <LocationMatch "/wp-admin/options.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
    </LocationMatch>
    
    <LocationMatch "/wp-admin/theme-editor.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 960010 960012 950006
    </LocationMatch>

    I am inlcuding the whitelist.conf from the end of the MS conf. not sure if that's right or if the IDs have changed.

  15. ciuly
    Member
    Posted 4 years ago #

    update: the following seems to have solved the posting problem but there are still things that don't work right (plugins and themes to name a couple)

    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/admin-ajax.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/page.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/options.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/theme-editor.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 960010 960012 950006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>

    I am now removing mod_security since I a running about 13 sites on my server and all of them run different scripts so this will literally take me months to get things strait for every site and script, time that I don't have.

  16. KnightBaron
    Member
    Posted 4 years ago #

    This piece of code work like a charm for me

    <IfModule mod_env.c>
        SetEnv MODSEC_ENABLE Off
        PassEnv MODSEC_ENABLE
    </IfModule>

Topic Closed

This topic has been closed to new replies.

About this Topic