The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsec & Wordpress

Discussion in 'Security' started by Rockforduk, May 13, 2016.

  1. Rockforduk

    Rockforduk Member

    May 5, 2016
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hi Everyone,
    I have moved to a new server and my Modsec is playing havoc with my Wordpress websites. I have whitelisted and awful lot of rules but one in particular is causing a problem. I use the Wordpress App on my phone to update my blog but Modsec is still blocking it even after i have whitelisted the rule how can i fix his please?

    240335 [13/May/2016:23:41:29 +0100]
    Operator EQ matched 0 at IP. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "1204"] [id "240335"] [rev "3"] [msg "COMODO WAF: XML-RPC Attack Identified from My IP Address (+1 hits since last alert) (CVE-2013-0235)"]

    Request: POST /xmlrpc.php
    Action Description: Access denied with code 403 (phase 2).
    Justification: Operator EQ matched 0 at IP.

    Any help would be much appreciated on this.


  2. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    I'm wondering if that rule is overly restrictive on xmlrpc.php. Since xmlrpc.php is so heavily attacked I would not be surprised.

    Also, it is possible that IP data is logged in /var/cpanel/secdatadir/ip.dir and ip.pag. If those files exist you can clear temp data by deleting them and restarting apache. This will reset counts on brute force based rules.

    Taking a look at the 32_Apps_OtherApps.conf file, there is a section for xmlrpc but I don't see how it accounts for legitimate requests. Mind you I'm only taking a quick look at it, however, you may need to whitelist some other rule IDs.

    Sadly since you're on a phone I'm assuming you don't have a static IP address. It would be safer / more preferable to do an IP based whitelist but that is probably not an option.

    If it were me, I would whitelist the rules 240334 and 240336 as well, clear out ip.dir / ip.pag, restart apache, and see where that gets you.
    #2 quizknows, May 16, 2016
    Last edited: May 16, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    Feel free to update this thread with the outcome after trying the solution suggested by quizknows in the previous response.

    Thank you.

Share This Page