WordPress.org

Ready to get started?Download WordPress

Forums

Mod_Security (10 posts)

  1. mynetweblogs
    Member
    Posted 7 years ago #

    I have read that mod_security causes some issues with WordPress installations. Is it worth the workarounds to have mod_security installed?

  2. Chris_K
    Member
    Posted 7 years ago #

    There are way too many variables to be able to answer that question. I dunno that any two hosts configure mod_security the same way. It would seem, to me, that in 95% (more?) cases it causes no issues at all.

  3. mynetweblogs
    Member
    Posted 7 years ago #

    Well for me, when I try to install a new blog, I get a server error.

  4. mynetweblogs
    Member
    Posted 7 years ago #

    What settings would cause issues?

  5. vkaryl
    Member
    Posted 7 years ago #

    Hard to say, since most hosts won't tell you what their ruleset includes.

  6. mynetweblogs
    Member
    Posted 7 years ago #

    Would mod_dosevasive cause issues, or is it probably the mod_security causing a problem?

  7. vkaryl
    Member
    Posted 7 years ago #

    I don't have a clue - never heard of mod_dosevasive for one thing. For another, the host I left because of mod_sec problems never would tell me what they changed.

  8. Chris_K
    Member
    Posted 7 years ago #

    This thread take a while to get going, but ends with some .htaccess "tricks" to mitigate issues caused by an overly strict mod_security configuration.

    http://wordpress.org/support/topic/75361?replies=69

  9. whooami
    Member
    Posted 7 years ago #

    I have read that mod_security causes some issues with WordPress installations. Is it worth the workarounds to have mod_security installed?

    Ive been waiting for 10 hours to respond to this thread --

    What specifically have you read regarding mod_security affecting installs? And where?

    Thats the best place to start before answering too many questions.

    Since we dont know what youve read, or where, its hard to tell you if its worth it. What you read might be accidently inaccurate, or purposefully false.

    I can say with some assuredness that mod_security is mistakenly blamed for quite a few things on these forums, and ought not to be.

    In other words, _generally_ uneducated people speak up without doing their homework first, (as happens everywhere, I fairly need to to add).

    ---

    Now again, This, therefore, is a general reply to your question.

    mod_security is worth ANY troubles, and the primary reason why I say is that its flexible, can be "turned off" if any different number of ways, and prevents a whole shedload of malicious things from happening.

    Need to turn it off, adjust, etc..:

    Add:

    SecFilterEngine Off

    to any .htaccess.

    You obviously already know that .htaccess bits are inherited, so I dont need to explain that you could protect one directory but not another.

    Just want to protect certain files:

    Or ..

    if you just want to have certain files do this, heres a good example:

    SecFilterEngine On
    SecFilterSelective "REQUEST_URI" "/wp-admin/edit.php" "allow,nolog"

    Or lets say you want to have an override for a word already listed in your modsecurity.conf:

    SecFilterEngine On
    SecFilterSelective "POST_PAYLOAD" "curl" "allow,nolog"

    Lots and lots and lots of options, besides the 2 simple ones mentioned in the thread handy linked to.

    A whole lot of documentation for mod_security:

    http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/

    I'll assume youve looked over the mod_security website enough that you have a good idea what it does, and prevents. Personally, it's the SQL injection attack and XSS protection that I appreciate the most. A close second being the php remote file include protection.

    I use mod_security to its fullest. I have no troubles posting whatever content I want, and have experienced NO issues with installs or upgrades, and I fairly recently just did a server move (both hosts had it available), again, all without a single issue.

    --

    And just a commentary, "overly strict" is just that, commentary.

  10. whooami
    Member
    Posted 7 years ago #

    as for mod_dosevasive, again, I would need to ask, what, if any, issues, are you having? or are you simply anticipating issues?

    mod_dosevasive is pretty straightforward, and if youve ever looked at the output of ps -aux, you know how many procceses Apache can spawn.

    For the uninformed, mod_dosevasive fights DOS attacks by blocking an IP thats requesting the same page more than a few times per second, or by blocking an IP thats making more than 50 concurrent requests on the same Apache proccess. It also includes a blacklist, and checks IPs againt that list.

    I dont see how mod_dosevasive would cause it's own install issues, unless your hammering the page without fixing whatever other problem(s) might be holding up your install.

Topic Closed

This topic has been closed to new replies.

About this Topic