OWASP mod_security breaking Wordpress page save

[subtopic]

As soon as I enable the OWASP mod_security rules, my clients or myself can't save a Wordpress page edit.

My hosting support said mod_security was blocking ajax php requests, or something along those lines.

Any suggestions?

Thanks!

 

[cPanelMichael]

Hello @subtopic,

Here's a thread with helpful discussion on this topic:

Issues with modsecurity OWASP and false positives.

Let me know if this points you in the right direction.

Thanks!

 

[fuzzylogic]

Hello subtopic,
OWASP CRS 3.2 has 29 WordPress exclusion rules in a single .conf file.
You can view/get them at this url SpiderLabs/owasp-modsecurity-crs

If you choose to use one or more of them I recommend you change their ids by adding your own prefix to them (such as 33 or 77)
This is so that you can search for them, in the WHM ModSecurity™ Tools » Rules List, in the future when you want to delete them (once the 3.2 version becomes available through cPanel)

If you use more than one rule you will have to add them one at a time.

Do not add rules 9002000, 9002001, 9002400, 9002401.
They are only helpful when these rules are added as a complete .conf file which we can't really do through the WHM interface.

 

[subtopic]

That's awesome! Thank you @fuzzylogic. This logic doesn't sound fuzzy lol.

But I can add that entire file as a .conf file by manually pasting it into

/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules

as a file called

REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

without having to remove the rules you mentioned correct?

I already modified crs-setup.conf with this line

SecAction "id:900130,phase:1,nolog,pass,t:none, setvar:tx.crs_exclusions_wordpress=1"

Then all the OWASP rules should work while not breaking Wordpress correct?

 

[subtopic]

Unfortunately I did all that, and when OWASP is enabled I still am having saving pages I edit within the visual builder in the Divi theme.