Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

OWASP mod_security breaking Wordpress page save

Discussion in 'Security' started by subtopic, Sep 18, 2018.

  1. subtopic

    subtopic Member

    Joined:
    Aug 30, 2018
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    95050
    cPanel Access Level:
    Root Administrator
    As soon as I enable the OWASP mod_security rules, my clients or myself can't save a Wordpress page edit.

    My hosting support said mod_security was blocking ajax php requests, or something along those lines.

    Any suggestions?

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    119
    Likes Received:
    68
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Hello subtopic,
    OWASP CRS 3.2 has 29 WordPress exclusion rules in a single .conf file.
    You can view/get them at this url SpiderLabs/owasp-modsecurity-crs

    If you choose to use one or more of them I recommend you change their ids by adding your own prefix to them (such as 33 or 77)
    This is so that you can search for them, in the WHM ModSecurity™ Tools » Rules List, in the future when you want to delete them (once the 3.2 version becomes available through cPanel)

    If you use more than one rule you will have to add them one at a time.

    Do not add rules 9002000, 9002001, 9002400, 9002401.
    They are only helpful when these rules are added as a complete .conf file which we can't really do through the WHM interface.
     
    cPanelMichael likes this.
  4. subtopic

    subtopic Member

    Joined:
    Aug 30, 2018
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    95050
    cPanel Access Level:
    Root Administrator
    That's awesome! Thank you @fuzzylogic. This logic doesn't sound fuzzy lol.

    But I can add that entire file as a .conf file by manually pasting it into
    Code:
    /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules
    as a file called

    Code:
    REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
    without having to remove the rules you mentioned correct?

    I already modified crs-setup.conf with this line

    Code:
    SecAction "id:900130,phase:1,nolog,pass,t:none, setvar:tx.crs_exclusions_wordpress=1"
    Then all the OWASP rules should work while not breaking Wordpress correct?
     
  5. subtopic

    subtopic Member

    Joined:
    Aug 30, 2018
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    95050
    cPanel Access Level:
    Root Administrator
    Unfortunately I did all that, and when OWASP is enabled I still am having saving pages I edit within the visual builder in the Divi theme.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice