modsecurity breaks Wordpress

WholesaleDialup

Verified User
Joined
Sep 25, 2004
Messages
179
Location
San Antonio, TX
Fresh DA server install on AlmaLinux.

I followed this guide as part of my task to secure the new server:

Regarding item number 8:
  1. Enable mod_security.open in new window See the CustomBuild Faqopen in new window for available rulesets and options.

I did enable mod_security but any form submissions inside the only website which is using Wordpress on this server fail and generate errors similar to the one shown below UNLESS I disable modsecurity for the domain in question.

I would prefer to leave it on for obvious reasons but I am not sure how to make changes to mod_security to allow form submissions in Wordpress to work while leaving mod_security on for the domain. Thanks in advance for any advice on this, it's been a while since I setup a new DA server. Trying to keep things as secure as possible and of course that doesn't go well with ease of use or convenience LOL.


Error from log:
[Thu Oct 14 19:29:02.215562 2021] [:error] [pid 302331:tid 140119856326400] [client <IP HIDDEN>:50869] [client <IP HIDDEN>] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(?:[\\"'`](?:;?\\\\s*?(?:having|select|union)\\\\b\\\\s*?[^\\\\s]|\\\\s*?!\\\\s*?[\\"'`\\\\w])|(?:c(?:eek:nnection_id|urrent_user)|database)\\\\s*?\\\\([^\\\\)]*?|u(?:nion(?:[\\\\w(\\\\s]*?select| select @)|ser\\\\s*?\\\\([^\\\\)]*?)|s(?:chema\\\\s*?\\\\([^\\\\)]*?|elect.*?\\\\w?user\\\\()|in ..." at ARGS:formData. [file "/etc/modsecurity.d/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "183"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: \\x22Select a found within ARGS:formData: {\\x22id\\x22:\\x226\\x22,\\x22fields\\x22:{\\x2225\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:25},\\x2226\\x22:{\\x22value\\x22:\\x22Todd\\x22,\\x22id\\x22:26},\\x2227\\x22:{\\x22value\\x22:\\x22Routhier\\x22,\\x22id\\x22:27},\\x2228\\x22:{\\x22value\\x22:\\x22210-245-4900\\x22,\\x22id\\x22:28},\\x2229\\x22:{\\x22value\\x22:\\x22<EMAIL HIDDEN>\\x22,\\x22id\\x22:29},\\x2230\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:30},\\x2231\\x22:{\\x22value\\x22:\\x22\\x22,\\x22id\\x22:31},\\x2232\\x22:{\\x22value\\x..."] [se [hostname "<HOSTNAMEHIDDEN"] [uri "/wp-admin/admin-ajax.php"] [unique_id "YWiE_l5XD5Z0ctpf0rfauQAAUBI"], referer:<REFERRER HIDDEN>
 
Last edited:
There is a GUI form that you can exclude the rule triggered for modescurity. See this screenshot with step

1634524349242.png


1) Go to modsecurity UI, click on Log tab
2) Find your client IP that triggered the rule and look at the similar Request Line. Copy the Rule ID, (in your case I saw rule ID is 942190)
3) Then Go to Status & Disabled Rules tab
4 ) Paste the Rule ID in this form:


1634524483050.png

5) Click DISABLE RULE
 
There is a GUI form that you can exclude the rule triggered for modescurity. See this screenshot with step

View attachment 4862

1) Go to modsecurity UI, click on Log tab
2) Find your client IP that triggered the rule and look at the similar Request Line. Copy the Rule ID, (in your case I saw rule ID is 942190)
3) Then Go to Status & Disabled Rules tab
4 ) Paste the Rule ID in this form:


View attachment 4863
5) Click DISABLE RULE
Awesome! Thanks so much for this. I wasn't finding this GUI because I was not really using the Evolution skin. I changed the skin, wondering if it was in there and sure enough, I found it. Thanks for your help!
 
Awesome! Thanks so much for this. I wasn't finding this GUI because I was not really using the Evolution skin. I changed the skin, wondering if it was in there and sure enough, I found it. Thanks for your help!

Some features they made them available to evolution skin first and you could not find them with other skins. For example, currently the Remote DNS Providers with Let's Encrypt feature can only be used on evolution skin. https://docs.directadmin.com/webser...#lego-remote-dns-providers-with-let-s-encrypt

So right now I think it is best to use the standard evolution skin to have complete features in UI.
 
Back
Top