OWASP mod_security breaking Wordpress page save

subtopic

Member
Aug 30, 2018
16
1
3
95050
cPanel Access Level
Root Administrator
As soon as I enable the OWASP mod_security rules, my clients or myself can't save a Wordpress page edit.

My hosting support said mod_security was blocking ajax php requests, or something along those lines.

Any suggestions?

Thanks!
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
95
78
cPanel Access Level
Root Administrator
Hello subtopic,
OWASP CRS 3.2 has 29 WordPress exclusion rules in a single .conf file.
You can view/get them at this url SpiderLabs/owasp-modsecurity-crs

If you choose to use one or more of them I recommend you change their ids by adding your own prefix to them (such as 33 or 77)
This is so that you can search for them, in the WHM ModSecurity™ Tools » Rules List, in the future when you want to delete them (once the 3.2 version becomes available through cPanel)

If you use more than one rule you will have to add them one at a time.

Do not add rules 9002000, 9002001, 9002400, 9002401.
They are only helpful when these rules are added as a complete .conf file which we can't really do through the WHM interface.
 
  • Like
Reactions: cPanelMichael

subtopic

Member
Aug 30, 2018
16
1
3
95050
cPanel Access Level
Root Administrator
That's awesome! Thank you @fuzzylogic. This logic doesn't sound fuzzy lol.

But I can add that entire file as a .conf file by manually pasting it into
Code:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules
as a file called

Code:
REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
without having to remove the rules you mentioned correct?

I already modified crs-setup.conf with this line

Code:
SecAction "id:900130,phase:1,nolog,pass,t:none, setvar:tx.crs_exclusions_wordpress=1"
Then all the OWASP rules should work while not breaking Wordpress correct?