Modsecurity & WordPress REST API

Rockforduk

Active Member
May 5, 2016
29
0
1
London
cPanel Access Level
Root Administrator
Hi Everyone,
Does anyone know how i can whitelist WordPress REST API URL's within Modsecurity for an app to communicate with a WordPress site? I don't really want to turn off Modsecurity for that account just wanted to know if this is a possibility or not?

Thanks

Rockforduk
 

kodeslogic

Active Member
Apr 26, 2020
37
8
83
India
cPanel Access Level
Root Administrator
1.) Find the ModSec error in the Apache error logs with the following command (Be sure to modify the command with your IP replacing “1.2.23.5”
grep ModSec /usr/local/apache/logs/error_log | grep “1.2.23.5”.

2.) The output of this command will give you a list of hits for ModSecurity from you or your developer’s IP, which you can see below. While these instructions may look intimidating, you will only want to pay attention to 3 bits of information highlighted.
Note:
Orange = client, the IP which tripped the rule
Blue = ID number of tripped rule within ModSec
Green = URI, the location where the error started from
[Sat Aug 15 23:07:04.179801 2020] [:error] [pid 79117:tid 139708457797895] [client 1.2.23.5:30006] [client 1.2.23.5] ModSecurity: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.user.conf"] [line "110"] [id "20000332"] [hostname "1.2.23.5"] [uri "/api/index.php"] [unique_id "WwjPWChxvG2DP5la-D55eQBBBDV"]
3.) Open the Easy Apache 4 configuration file:
vim /etc/apache2/conf.d/whitelist.conf

4.) Add the following text to the configuration. Remember to pay attention to the highlighted parts. Change the green “/api/index.php” to match your URI and the blue id to match the id of your error (Do not use the colon in this one).
<LocationMatch "/api/index.php">
SecRuleRemoveById 20000332
</LocationMatch>
5.) The final step for whitelisting, before you finalize the process, is to ensure you have correctly set up the whitelist. For Easy Apache 4 you will run the command:
apachectl -t

As long as the command returns “Syntax Ok” you are safe to make the whitelist active by restarting Apache.

6.) Restart Apache with the following command.
/scripts/restartsrv_httpd

You have successfully whitelisted URI in ModSec
 
Last edited:

Rockforduk

Active Member
May 5, 2016
29
0
1
London
cPanel Access Level
Root Administrator
Hi kodeslogic,
Thank you for that the issue is i need to whitelist specific URL's if that is possible as they are not triggering modsec in the sense of what you have posted they are just being blocked by default. So, the app is not communicating with the WordPress site is something within the Modsecurity rules is blocking access to the REST API within WordPress. This is why i wanted to see if their was a way to whitelist the URL's as opposed to the ID etc.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,041
1,206
313
Houston
The advice from @kodeslogic is still not wrong in this instance. You'd need to know what specifically is causing the rule match and which rule is being matched before you can really move forward.
 
  • Like
Reactions: kodeslogic