Mod_Security For WordPress

A related post: https://www.pablumfication.co.uk/2010/02/05/wordpress-apache-mod_security/

Thanks for the head up!

I have included the Google Robot Activity exception now and also added a few experimental exceptions to make 2 plugins (Fancybox for WordPress & Wp-Recaptcha) work.

Lastly, still messing around with the TimThumb.php (or thumb.php) script and mod_security conflict issue. Integrated the Hostgator exceptions and a few other general exceptions to that script particularly. Simply change the part that says YOUR_THEME to your active theme’s folder name so that the full address denotes to the timthumb or thumb.php file directly.

<LocationMatch "/">
SecRuleRemoveById 910006
SecRuleRemoveById 960015
</LocationMatch>

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/wp-recaptcha/">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/fancybox-for-wordpress/">
  SecRuleRemoveById 960010 960012 950006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 960010 960012 950006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/themes/YOUR_THEME/thumb.php">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

Another update:

For the Sociable plugin fix if you are experiencing any errors that is:

<LocationMatch “/wp-content/plugins/sociable/”>
SecRuleRemoveById 960010 960012 950006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

Another quick update: this is what is presently what I am using on my vps for mod_security.

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/">
  SecRuleRemoveById 300015 340151 1234234 340153 1234234 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 960010 960012 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/themes/">
  SecRuleRemoveById 340151 340153 1234234 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/sociable/">
SecRuleRemoveById 960010 960012 950006 959006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch> 

<LocationMatch "/wp-content/plugins/wp-recaptcha/">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/fancybox-for-wordpress/">
  SecRuleRemoveById 960010 960012 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-includes/js/tinymce/plugins/spellchecker/rpc.php”>
SecRuleRemoveById 960010
SecRuleRemoveById 960012
SecRuleRemoveById 959006
</LocationMatch>

<LocationMatch "/wp-content/themes/YOUR_THEME/thumb.php">
  SecRuleRemoveById 340151 340153 1234234 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

You don’t seem to have been affected by any of the 97xxxx rules, maybe it only applies to WP Networks…

Hi Thank you for sharing that. Very helpful.

However this change affects the whole server.

Is there a what to identify just the one website account that is having problems with modsecurity.

I have a few wordpress sites on the same server, and only 1 of them is having trouble with mod security 2.

I’d prefer to just isolate the 1 that’s having trouble and bypass the mod security rules for it rather than globally.

Any ideas?

Thanks
Aaron

Just add the rules to virtualhosts and you’ll be fine.

Hi Olivier I’ll investigate that, thanks for the tip. Aaron

Hi Olivier

I asked my host LiquidWeb to action a virtualhosts change but they didn’t know anything about it, and said it can’t be done.

Do you have any ideas. I’m on a cPanel server running CENTOS 5.5

Is there any documentation on this method of mod security rule changes with cPanel?

Aaron

Hello Aaron,

To be honest, mod_security should already be configured by your host if you’re on a shared hosting plan. It can break too many websites if not carefully configured.

But in your case, they just need to paste the whole block into your vhost. It’s dead easy. You can do it yourself if you have access to the file (I’m not familiar with cPanel, I’m a Directadmin fan).

Cheers,

Olivier

Hi Olivier

I’m on a dedicated machine that liquid web manage. I still can’t believe they said this couldn’t be done. Usually they are very good support wise. Not sure what happening in this instance.

I worked this out in about 1/2 hour.

Because it’s cPanel I moved the whitelist.conf which I had built for modsecurity2 which handles globally, into the cpanel vhosts template area (which is different depending on your apache build)

cPanel builds the httpd.conf file up from external includes. So you have to use an external include .conf file put in the right place. Look in the httpd.conf file for exactly which directory to put it in.

In the end this was my whitelist.conf file

<LocationMatch “/wp-admin/post.php”>
SecRuleRemoveById 300016
</LocationMatch>

<LocationMatch “/wp-admin/nav-menus.php”>
SecRuleRemoveById 300016
</LocationMatch>

And now it’s being run for just that one user account that for some reason had trouble with modsecurity2.

Thanks for everyones input. This took me 1 week to sort out.

I was at the point of moving this site onto another server once I’d worked out it was mod security causing my issues.

Aaron

I’m glad you worked it out ??
If you’re using whitelist.conf, then you’re whitelisting that rule for the whole server, but since any since running WordPress would need to be able to bypass that rule, it’s not a bad thing.

Cheers,

Olivier

Yep that’s right, whitelist.conf works globally, but I wasn’t happy with that. Considering all other instances of wordpress I’ve ever had over the last 5 years have never come across this problem, I wanted the solution isolated to just this one domain.

Hence vhosts instead of whitelist.conf

Aaron

Hi Aaron, you can also use the CMC plugin if you have Cpanel as it can automatically apply custom rules according to domain/domains.

It gives you a GUI through which you can apply the rules I mentioned along with any other rules globally/locally for domains/subdomains etc.

It is by far the easiest way to manage Mod Security Rules and mess with it in general. ??

Find It here: https://configserver.com/cp/cmc.html