WordPress.org

Ready to get started?Download WordPress

Forums

Mod_Security For WordPress (15 posts)

  1. godsofchaos
    Member
    Posted 3 years ago #

    Okie, I think this is a common problem for all of us who are on a VPS or a Dedi. Mod Security does not play nice with WordPress and sometimes renders the site blank, generates error 500, kills comment posting and what not. On my blog Nokia Symbian Themes it have had some issues in the past and though I think I have fixed almost all of em - there may always be more. After searching the web I found bits n pieces everywhere but nothing that is regularly updated & tested to work.

    Hence I am starting this thread so that anyone with issues with mod_security and wordpress can bank in this thread :) for the solutions.

    This is so far what I have included in my Mod_Security Custom/Whitelist setting which makes my site act kinda nicely so far:

    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/admin-ajax.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/page.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/options.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/theme-editor.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 960010 960012 950006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>

    Some of these rules are WordPress Specific while some are plugin specific. Do you have anything else included that makes your wordpress & the plugins act nicely with Mod_Security? If yes, then please post it so that we can compile the ultimate mod_security and wordpress specific whitelist ruleset!

    Cheers!

    Btw on my VPS - Running WP 3.03, Apache 2.2, CSF Firewall and E-Accelerator with PHP 5.2.

  2. Brian Layman
    Member
    Posted 3 years ago #

  3. godsofchaos
    Member
    Posted 3 years ago #

    Thanks for the head up!

    I have included the Google Robot Activity exception now and also added a few experimental exceptions to make 2 plugins (Fancybox for WordPress & Wp-Recaptcha) work.

    Lastly, still messing around with the TimThumb.php (or thumb.php) script and mod_security conflict issue. Integrated the Hostgator exceptions and a few other general exceptions to that script particularly. Simply change the part that says YOUR_THEME to your active theme's folder name so that the full address denotes to the timthumb or thumb.php file directly.

    <LocationMatch "/">
    SecRuleRemoveById 910006
    SecRuleRemoveById 960015
    </LocationMatch>
    
    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/admin-ajax.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/page.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/options.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/theme-editor.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/plugins/wp-recaptcha/">
      SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/plugins/fancybox-for-wordpress/">
      SecRuleRemoveById 960010 960012 950006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 960010 960012 950006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/themes/YOUR_THEME/thumb.php">
      SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
  4. godsofchaos
    Member
    Posted 3 years ago #

    Another update:

    For the Sociable plugin fix if you are experiencing any errors that is:

    <LocationMatch "/wp-content/plugins/sociable/">
    SecRuleRemoveById 960010 960012 950006
    SecRuleRemoveById phpids-17
    SecRuleRemoveById phpids-20
    SecRuleRemoveById phpids-21
    SecRuleRemoveById phpids-30
    SecRuleRemoveById phpids-61
    </LocationMatch>

  5. godsofchaos
    Member
    Posted 3 years ago #

    Another quick update: this is what is presently what I am using on my vps for mod_security.

    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/admin-ajax.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/page.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/options.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-admin/theme-editor.php">
      SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/plugins/">
      SecRuleRemoveById 300015 340151 1234234 340153 1234234 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 960010 960012 950006 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/themes/">
      SecRuleRemoveById 340151 340153 1234234 950006 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/plugins/sociable/">
    SecRuleRemoveById 960010 960012 950006 959006
    SecRuleRemoveById phpids-17
    SecRuleRemoveById phpids-20
    SecRuleRemoveById phpids-21
    SecRuleRemoveById phpids-30
    SecRuleRemoveById phpids-61
    </LocationMatch> 
    
    <LocationMatch "/wp-content/plugins/wp-recaptcha/">
      SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch "/wp-content/plugins/fancybox-for-wordpress/">
      SecRuleRemoveById 960010 960012 950006 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
    
    <LocationMatch “/wp-includes/js/tinymce/plugins/spellchecker/rpc.php”>
    SecRuleRemoveById 960010
    SecRuleRemoveById 960012
    SecRuleRemoveById 959006
    </LocationMatch>
    
    <LocationMatch "/wp-content/themes/YOUR_THEME/thumb.php">
      SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
      SecRuleRemoveById phpids-17
      SecRuleRemoveById phpids-20
      SecRuleRemoveById phpids-21
      SecRuleRemoveById phpids-30
      SecRuleRemoveById phpids-61
    </LocationMatch>
  6. Olivier
    Member
    Posted 3 years ago #

    You don't seem to have been affected by any of the 97xxxx rules, maybe it only applies to WP Networks...

  7. aarondwyer
    Member
    Posted 3 years ago #

    Hi Thank you for sharing that. Very helpful.

    However this change affects the whole server.

    Is there a what to identify just the one website account that is having problems with modsecurity.

    I have a few wordpress sites on the same server, and only 1 of them is having trouble with mod security 2.

    I'd prefer to just isolate the 1 that's having trouble and bypass the mod security rules for it rather than globally.

    Any ideas?

    Thanks
    Aaron

  8. Olivier
    Member
    Posted 3 years ago #

    Just add the rules to virtualhosts and you'll be fine.

  9. aarondwyer
    Member
    Posted 3 years ago #

    Hi Olivier I'll investigate that, thanks for the tip. Aaron

  10. aarondwyer
    Member
    Posted 3 years ago #

    Hi Olivier

    I asked my host LiquidWeb to action a virtualhosts change but they didn't know anything about it, and said it can't be done.

    Do you have any ideas. I'm on a cPanel server running CENTOS 5.5

    Is there any documentation on this method of mod security rule changes with cPanel?

    Aaron

  11. Olivier
    Member
    Posted 3 years ago #

    Hello Aaron,

    To be honest, mod_security should already be configured by your host if you're on a shared hosting plan. It can break too many websites if not carefully configured.

    But in your case, they just need to paste the whole block into your vhost. It's dead easy. You can do it yourself if you have access to the file (I'm not familiar with cPanel, I'm a Directadmin fan).

    Cheers,

    Olivier

  12. aarondwyer
    Member
    Posted 3 years ago #

    Hi Olivier

    I'm on a dedicated machine that liquid web manage. I still can't believe they said this couldn't be done. Usually they are very good support wise. Not sure what happening in this instance.

    I worked this out in about 1/2 hour.

    Because it's cPanel I moved the whitelist.conf which I had built for modsecurity2 which handles globally, into the cpanel vhosts template area (which is different depending on your apache build)

    cPanel builds the httpd.conf file up from external includes. So you have to use an external include .conf file put in the right place. Look in the httpd.conf file for exactly which directory to put it in.

    In the end this was my whitelist.conf file

    <LocationMatch "/wp-admin/post.php">
    SecRuleRemoveById 300016
    </LocationMatch>

    <LocationMatch "/wp-admin/nav-menus.php">
    SecRuleRemoveById 300016
    </LocationMatch>

    And now it's being run for just that one user account that for some reason had trouble with modsecurity2.

    Thanks for everyones input. This took me 1 week to sort out.

    I was at the point of moving this site onto another server once I'd worked out it was mod security causing my issues.

    Aaron

  13. Olivier
    Member
    Posted 3 years ago #

    I'm glad you worked it out :)
    If you're using whitelist.conf, then you're whitelisting that rule for the whole server, but since any since running WordPress would need to be able to bypass that rule, it's not a bad thing.

    Cheers,

    Olivier

  14. aarondwyer
    Member
    Posted 3 years ago #

    Yep that's right, whitelist.conf works globally, but I wasn't happy with that. Considering all other instances of wordpress I've ever had over the last 5 years have never come across this problem, I wanted the solution isolated to just this one domain.

    Hence vhosts instead of whitelist.conf

    Aaron

  15. godsofchaos
    Member
    Posted 3 years ago #

    Hi Aaron, you can also use the CMC plugin if you have Cpanel as it can automatically apply custom rules according to domain/domains.

    It gives you a GUI through which you can apply the rules I mentioned along with any other rules globally/locally for domains/subdomains etc.

    It is by far the easiest way to manage Mod Security Rules and mess with it in general. :)

    Find It here: http://configserver.com/cp/cmc.html

Topic Closed

This topic has been closed to new replies.

About this Topic