WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Is turning off mod_security dangerous? (11 posts)

  1. kmessinger
    Volunteer Moderator
    Posted 6 years ago #

    I just added a rewrite from member Rok to my htaccess.
    An Ajax image upload fix that fixes image upload problems:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>

    So now my htaccess looks like this:

    <IfModule mod_rewrite.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    SecFilterInheritance Off
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </files>
    </IfModule>

    The fix works fine BTW but when we turn the SecurityFilter off, do we not open a door for exploits?

  2. hakre
    Member
    Posted 6 years ago #

    Security can be complex and answering your question with a simple yes or no wouldn't help you I guess. In this specific case, Mod_Security is switched of, so that your website works as intended. So in this case you must say no and it's adviseable to admit that in this case mod_security switched on renders your application useless.

    In a more general perspective, mod_security on most servers is configured in a way for a potential, generell "aahh threads, go away!" setup. Nothing specific for known wordpress exploits at all. So commonly, mod_security is only an additional layer that lies somewhere and only the admin who configured it does really know what it is protecting and against what it is protecting.

    If you want to protect yourself a bit more, protect /wp-admin/ with an additional .htaccess based password rule for example.

  3. kmessinger
    Volunteer Moderator
    Posted 6 years ago #

    Thank you!

  4. 12thharmonic
    Member
    Posted 6 years ago #

    I implemented this fix and it worked. a few days later, my parent host (I have a reseller account) has done something (I assume) that is deleting my htaccess files. I have a ticket in about this and am awaiting an answer.
    Is there a better fix for this yet?

    This is most frustrating.

  5. hakre
    Member
    Posted 6 years ago #

    12thharmonic: If your hoster ist deleting your .htaccess files, then talk with your hoster to stop that. If your hoster is not able to host you with .htaccess files then get one that clearly states to provide that feature. I know it is the hard way, but if your hoster is not able to host you with .htaccess then this could be a sign that your hoster is of very bad quality and has got esoteric security policies. I would not consider myself comfortable with such a hoster.

  6. 12thharmonic
    Member
    Posted 6 years ago #

    I agree.
    This is the first I have seen this. For three years they have been exemplary. I am awaiting more information now. If they cannot explain themselves and restore things to how they were, I will have to find a new host and move eight accounts on my reseller, and two individual accounts w/ the same host other clients have.

    I will be extreemly disappointed if a three year solid relationship has to end. Oh the inconvenience! :(
    I will update you all on this. especialy if I move to announce who they are. I'll hold off for the moment.

  7. discolightning
    Member
    Posted 6 years ago #

    for what it's worth, 1&1 is great. I have not had any host-related problems. I did have some attacks related to some WP plugs, and the 1&1 support helped me find the logs.

  8. hakre
    Member
    Posted 6 years ago #

    Back on topic: You posted

    So now my htaccess looks like this:

    <IfModule mod_rewrite.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    SecFilterInheritance Off
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </files>
    </IfModule>

    That is wrong. You mixed two things up. Please see the following:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    You putted multiple blocks inside each other that hat nothing to do with themselves.

  9. kmessinger
    Volunteer Moderator
    Posted 6 years ago #

    Yep, I changed it after I posted here to

    <IfModule mod_rewrite.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    SecFilterInheritance Off
    </files>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    The way it was before, it did not work correctly. Now all seems ok.

  10. hakre
    Member
    Posted 6 years ago #

    Just keep the <ifmodule mod_security.c> mod_security rules like SecFilterEngine </ifmodule> and <IfModule mod_rewrite.c></IfModule> parts apart from each other. do not put the <files></files> section inside the rewrite part for example.

  11. soconnor
    Member
    Posted 5 years ago #

    Ran into problem where mod_security2 does not allow file uploads in WordPress, the solution is in the mod_security config file

    modsecurity_crs_20_protocol_violations.conf

    you need to comment out the SecRule that mentions "malformed data", this will allow the upload of chunked data via the wordpress upload

Topic Closed

This topic has been closed to new replies.

About this Topic