Had to remove this plugin…

  • Resolved crzyhrse

    (@crzyhrse)


    7 years, 1 month ago

    I’ve had to remove this plugin, not working since modsec rules were updated on one server/host one of my sites is on… getting a 404 when I try to go to it…

    Here is some of the exchange with server folks, edited…

    The health check plugin was triggering ModSecurity for “mssql SQL Information Leakage.” The only way to allow it was to disable that rule for the specific path.

    No fix…

    Try again please. I got rid of the page=health-check, in case it refused to acknowledge the dynamic URL.

    No fix…

    These servers use latest EA4 with mod_ruid2, which is a configuration that is not compatible with mod_security old OWASP CRS, and now not even compatible with Comodo CRS. https://github.com/SpiderLabs/ModSecurity/issues/1334

    The only option is to either disable ruid2 (not going to do that), or use OWASP3 CRS which is very strict to the point of being somewhat paranoid, along with some custom tweaks to configuration and, in your case, rule whitelisting.

    Rather than do all this and diminish ModSec further I will pull the plugin…

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Marius L. J.

    (@clorith)

    Hi there,

    Sorry to hear this, do you mind if I ask which host this is in relation to, as that rule shouldn’t be able to trigger at all for WordPress as it never touches MSSQL (that’s Microsoft thing, not supported at all by WordPress, and never used by either this plugin, or WordPress)?

    I’d love to reach out to them and go through this rule with them, as if that’s blocking the plugin, it is likely to be blocking legitimate functionality in WP as well.

    Thread Starter crzyhrse

    (@crzyhrse)

    Hi Marius, Sure, it is 12Wonder – https://www.12wonder.com/

    • This reply was modified 6 years, 9 months ago by Samuel Wood (Otto). Reason: rm email address
    Thread Starter crzyhrse

    (@crzyhrse)

    Hi Marius,

    I revisited this, being curious and hoping to have Health Check working on this site… But it remains the same issue, standard site “404 not found” page when clicking… Yet only with this host, sites on another hosting service (Radiant Solutions) that my reseller account is with have no issues with Health Check… Am curious if you ever had time and inclination to follow this up…

    And in case it is helpful, I am using the SEO Redirection Premium plugin on most of my sites including this one now that it is live… Right about the time I attempted to access Health Check on this site after it was activated, within a period of less than 4 seconds according to the log, these errors were noted in the plugin’s 404 Manager>Discovered 404 Errors log area…

    /wp-admin/index.php?page=health-check
    /wp-admin/?page=health-check
    /wp-admin/undefined

    Kind regards,
    John.

    Thread Starter crzyhrse

    (@crzyhrse)

    They are not telling me exactly what they have done, it seems maybe written an exception rule, but some changes here this morning have enabled Health Check for the site… Regards _/\_

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Had to remove this plugin…’ is closed to new replies.