How To Fix WordPress and Mod Security 2
Recently my website was moved to a new web server, and in the process the server software was upgraded, and it broke some parts of my site. It took a bit of digging but in the end I worked out that the problem lie with Mod Security – a server plugin that improves security but can sometimes inadvertently break features.
The problems I had were two fold.
- Elements of WordPress stopped functioning. In particular creating and editing WordPress posts, and uploading images or media stopped functioning.
- My BBPress forum (on Pro Theme Design) started having problems with posting replies.
The big thing that confused me is that only certain word combinations caused issues, which meant that the error was inconsistent. As I mentioned above, the problem was with Mod Security.
Mod Security (modsec)
The whole idea behind Mod Security is that it has a series of rules that are applied when different things happen on your website. When these things happen it will run through it’s rules and make sure that nothing bad is happening. This is great in theory but it relies on the fact that you don’t do certain things, and these are things that some dynamic systems need to do.
However, these rules can be disabled on a per script basis, and this formed the grounding for my fix. The way to fix the issue was to disable certain rules for certain scripts on the site, thus allowing the desired behaviors to occur.
Editing Mod Security
I am not a server guru so this took me a bit of hunting down, but eventually I worked out, that on my server, I could edit the files found in ‘/usr/local/apache/conf/modsec2‘ so that they do what I want. My solution was to edit ‘exclude.conf‘
Note that the location of the Mod Sec files for your server may well be different. If you are on shared hosting you may not have access to them. Most hosts will edit this stuff for you so I would suggest talking to your tech support if you’re not sure about something.
The issues with WordPress were on the admin side. I was unable to upload photos using the media editor and I was sometimes unable to edit posts and pages. My fix was to add the following rules to exclude.conf as mentioned above.
<locationmatch "/wp-admin/admin-ajax.php"> SecRuleRemoveById 300013 SecRuleRemoveById 300015 SecRuleRemoveById 300016 SecRuleRemoveById 300017 </locationmatch> <locationmatch "/wp-admin/page.php"> SecRuleRemoveById 300013 SecRuleRemoveById 300015 SecRuleRemoveById 300016 SecRuleRemoveById 300017 </locationmatch> <locationmatch "/wp-admin/post.php"> SecRuleRemoveById 300013 SecRuleRemoveById 300015 SecRuleRemoveById 300016 SecRuleRemoveById 300017 </locationmatch>
The problem with BBPress is that posting replies didn’t always work – it was causing a server error 500. It took me a while to realise ModSec was the issue with BBPress, and unfortunately the rules are not exactly the same as for WordPress.
<locationmatch "/bb-post.php"> SecRuleRemoveById 300013 SecRuleRemoveById 300015 SecRuleRemoveById 300016 SecRuleRemoveById 300017 </locationmatch>
Include the whitelist in the modsec2.conf file here – “/usr/local/apache/conf/modsec2.conf”
Restart apache (I used the links in my server control panel for this). And you’re done