The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsec & Wordpress

Discussion in 'Security' started by Rockforduk, May 13, 2016.

  1. Rockforduk

    Rockforduk Member

    Joined:
    May 5, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Hi Everyone,
    I have moved to a new server and my Modsec is playing havoc with my Wordpress websites. I have whitelisted and awful lot of rules but one in particular is causing a problem. I use the Wordpress App on my phone to update my blog but Modsec is still blocking it even after i have whitelisted the rule how can i fix his please?

    240335 [13/May/2016:23:41:29 +0100]
    Operator EQ matched 0 at IP. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "1204"] [id "240335"] [rev "3"] [msg "COMODO WAF: XML-RPC Attack Identified from My IP Address (+1 hits since last alert) (CVE-2013-0235)"]


    Request: POST /xmlrpc.php
    Action Description: Access denied with code 403 (phase 2).
    Justification: Operator EQ matched 0 at IP.

    Any help would be much appreciated on this.

    Thanks

    Rockforduk
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'm wondering if that rule is overly restrictive on xmlrpc.php. Since xmlrpc.php is so heavily attacked I would not be surprised.

    Also, it is possible that IP data is logged in /var/cpanel/secdatadir/ip.dir and ip.pag. If those files exist you can clear temp data by deleting them and restarting apache. This will reset counts on brute force based rules.

    Taking a look at the 32_Apps_OtherApps.conf file, there is a section for xmlrpc but I don't see how it accounts for legitimate requests. Mind you I'm only taking a quick look at it, however, you may need to whitelist some other rule IDs.

    Sadly since you're on a phone I'm assuming you don't have a static IP address. It would be safer / more preferable to do an IP based whitelist but that is probably not an option.

    If it were me, I would whitelist the rules 240334 and 240336 as well, clear out ip.dir / ip.pag, restart apache, and see where that gets you.
     
    #2 quizknows, May 16, 2016
    Last edited: May 16, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to update this thread with the outcome after trying the solution suggested by quizknows in the previous response.

    Thank you.
     
Loading...

Share This Page