Support » Fixing WordPress » Security update and mod_security

  • Is there a particular mod_security rule needed to protect against the vulnerability in get_the_category_by_ID fixed in, or is it taken care of by a config option or just the mere presence of mod_security?

Viewing 3 replies - 1 through 3 (of 3 total)
  • skippy



    It is my understanding that out of the box, mod_security protects against SQL injections. The vulnerability in WordPress was, in fact, a SQL injection vulnerability due to an un-cast integer variable.




    Correction: out o fthe box, mod_security does nothing. You need a specific rule to protect against SQL injections. The following rule was suggested to me; but I have not tested it (I don’t use mod_security yet):
    SecFilterEngine On
    SecFilterScanPOST On
    SecAuditLog /dev/null
    SecFilterDefaultAction "deny,log,status:402"

    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"
    SecFilter "../"
    SecFilterSelective "REQUEST_METHOD" "SEARCH"

    After seeing this post I wanted to ask around for input on the effectiveness of these rules.

    Instead of trying to relay the information, you should see:

    If you use mod_security or are planning to do so, you should consider updating the rulesets with those provided at

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security update and mod_security’ is closed to new replies.