Mod_Security For WordPress

  • Okie, I think this is a common problem for all of us who are on a VPS or a Dedi. Mod Security does not play nice with WordPress and sometimes renders the site blank, generates error 500, kills comment posting and what not. On my blog Nokia Symbian Themes it have had some issues in the past and though I think I have fixed almost all of em – there may always be more. After searching the web I found bits n pieces everywhere but nothing that is regularly updated & tested to work.

    Hence I am starting this thread so that anyone with issues with mod_security and wordpress can bank in this thread ?? for the solutions.

    This is so far what I have included in my Mod_Security Custom/Whitelist setting which makes my site act kinda nicely so far:

    <LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 960010 960012 950006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

    Some of these rules are WordPress Specific while some are plugin specific. Do you have anything else included that makes your wordpress & the plugins act nicely with Mod_Security? If yes, then please post it so that we can compile the ultimate mod_security and wordpress specific whitelist ruleset!

    Cheers!

    Btw on my VPS – Running WP 3.03, Apache 2.2, CSF Firewall and E-Accelerator with PHP 5.2.

Viewing 14 replies - 1 through 14 (of 14 total)

  • A related post: https://www.pablumfication.co.uk/2010/02/05/wordpress-apache-mod_security/

    Thread Starter godsofchaos

    (@godsofchaos)

    Thanks for the head up!

    I have included the Google Robot Activity exception now and also added a few experimental exceptions to make 2 plugins (Fancybox for WordPress & Wp-Recaptcha) work.

    Lastly, still messing around with the TimThumb.php (or thumb.php) script and mod_security conflict issue. Integrated the Hostgator exceptions and a few other general exceptions to that script particularly. Simply change the part that says YOUR_THEME to your active theme’s folder name so that the full address denotes to the timthumb or thumb.php file directly.

    <LocationMatch "/">
SecRuleRemoveById 910006
SecRuleRemoveById 960015
</LocationMatch>

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/wp-recaptcha/">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/fancybox-for-wordpress/">
  SecRuleRemoveById 960010 960012 950006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 960010 960012 950006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/themes/YOUR_THEME/thumb.php">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>
    Thread Starter godsofchaos

    (@godsofchaos)

    Another update:

    For the Sociable plugin fix if you are experiencing any errors that is:

    <LocationMatch “/wp-content/plugins/sociable/”>
    SecRuleRemoveById 960010 960012 950006
    SecRuleRemoveById phpids-17
    SecRuleRemoveById phpids-20
    SecRuleRemoveById phpids-21
    SecRuleRemoveById phpids-30
    SecRuleRemoveById phpids-61
    </LocationMatch>

    Thread Starter godsofchaos

    (@godsofchaos)

    Another quick update: this is what is presently what I am using on my vps for mod_security.

    <LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/">
  SecRuleRemoveById 300015 340151 1234234 340153 1234234 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 960010 960012 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/themes/">
  SecRuleRemoveById 340151 340153 1234234 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/sociable/">
SecRuleRemoveById 960010 960012 950006 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch> 

<LocationMatch "/wp-content/plugins/wp-recaptcha/">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/fancybox-for-wordpress/">
  SecRuleRemoveById 960010 960012 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-includes/js/tinymce/plugins/spellchecker/rpc.php”>
SecRuleRemoveById 960010
SecRuleRemoveById 960012
SecRuleRemoveById 959006
</LocationMatch>

<LocationMatch "/wp-content/themes/YOUR_THEME/thumb.php">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>
    Anonymous User 6488573

    (@anonymized-6488573)

    You don’t seem to have been affected by any of the 97xxxx rules, maybe it only applies to WP Networks…

    Hi Thank you for sharing that. Very helpful.

    However this change affects the whole server.

    Is there a what to identify just the one website account that is having problems with modsecurity.

    I have a few wordpress sites on the same server, and only 1 of them is having trouble with mod security 2.

    I’d prefer to just isolate the 1 that’s having trouble and bypass the mod security rules for it rather than globally.

    Any ideas?

    Thanks
    Aaron

    Anonymous User 6488573

    (@anonymized-6488573)

    Just add the rules to virtualhosts and you’ll be fine.

    Hi Olivier I’ll investigate that, thanks for the tip. Aaron

    Hi Olivier

    I asked my host LiquidWeb to action a virtualhosts change but they didn’t know anything about it, and said it can’t be done.

    Do you have any ideas. I’m on a cPanel server running CENTOS 5.5

    Is there any documentation on this method of mod security rule changes with cPanel?

    Aaron

    Anonymous User 6488573

    (@anonymized-6488573)

    Hello Aaron,

    To be honest, mod_security should already be configured by your host if you’re on a shared hosting plan. It can break too many websites if not carefully configured.

    But in your case, they just need to paste the whole block into your vhost. It’s dead easy. You can do it yourself if you have access to the file (I’m not familiar with cPanel, I’m a Directadmin fan).

    Cheers,

    Olivier

    Hi Olivier

    I’m on a dedicated machine that liquid web manage. I still can’t believe they said this couldn’t be done. Usually they are very good support wise. Not sure what happening in this instance.

    I worked this out in about 1/2 hour.

    Because it’s cPanel I moved the whitelist.conf which I had built for modsecurity2 which handles globally, into the cpanel vhosts template area (which is different depending on your apache build)

    cPanel builds the httpd.conf file up from external includes. So you have to use an external include .conf file put in the right place. Look in the httpd.conf file for exactly which directory to put it in.

    In the end this was my whitelist.conf file

    <LocationMatch “/wp-admin/post.php”>
    SecRuleRemoveById 300016
    </LocationMatch>

    <LocationMatch “/wp-admin/nav-menus.php”>
    SecRuleRemoveById 300016
    </LocationMatch>

    And now it’s being run for just that one user account that for some reason had trouble with modsecurity2.

    Thanks for everyones input. This took me 1 week to sort out.

    I was at the point of moving this site onto another server once I’d worked out it was mod security causing my issues.

    Aaron

    Anonymous User 6488573

    (@anonymized-6488573)

    I’m glad you worked it out ??
    If you’re using whitelist.conf, then you’re whitelisting that rule for the whole server, but since any since running WordPress would need to be able to bypass that rule, it’s not a bad thing.

    Cheers,

    Olivier

    Yep that’s right, whitelist.conf works globally, but I wasn’t happy with that. Considering all other instances of wordpress I’ve ever had over the last 5 years have never come across this problem, I wanted the solution isolated to just this one domain.

    Hence vhosts instead of whitelist.conf

    Aaron

    Thread Starter godsofchaos

    (@godsofchaos)

    Hi Aaron, you can also use the CMC plugin if you have Cpanel as it can automatically apply custom rules according to domain/domains.

    It gives you a GUI through which you can apply the rules I mentioned along with any other rules globally/locally for domains/subdomains etc.

    It is by far the easiest way to manage Mod Security Rules and mess with it in general. ??

    Find It here: https://configserver.com/cp/cmc.html

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Mod_Security For WordPress’ is closed to new replies.