How To Fix WordPress and Mod Security 2

Recently my website was moved to a new web server, and in the process the server software was upgraded, and it broke some parts of my site. It took a bit of digging but in the end I worked out that the problem lie with Mod Security – a server plugin that improves security but can sometimes inadvertently break features.

The problems I had were two fold.

  1. Elements of WordPress stopped functioning. In particular creating and editing WordPress posts, and uploading images or media stopped functioning.
  2. My BBPress forum (on Pro Theme Design) started having problems with posting replies.

The big thing that confused me is that only certain word combinations caused issues, which meant that the error was inconsistent. As I mentioned above, the problem was with Mod Security.

Mod Security (modsec)

The whole idea behind Mod Security is that it has a series of rules that are applied when different things happen on your website. When these things happen it will run through it’s rules and make sure that nothing bad is happening. This is great in theory but it relies on the fact that you don’t do certain things, and these are things that some dynamic systems need to do.

However, these rules can be disabled on a per script basis, and this formed the grounding for my fix. The way to fix the issue was to disable certain rules for certain scripts on the site, thus allowing the desired behaviors to occur.

Editing Mod Security

I am not a server guru so this took me a bit of hunting down, but eventually I worked out, that on my server, I could edit the files found in ‘/usr/local/apache/conf/modsec2‘ so that they do what I want. My solution was to edit ‘exclude.conf

Note that the location of the Mod Sec files for your server may well be different. If you are on shared hosting you may not have access to them. Most hosts will edit this stuff for you so I would suggest talking to your tech support if you’re not sure about something.

Fixing WordPress

The issues with WordPress were on the admin side. I was unable to upload photos using the media editor and I was sometimes unable to edit posts and pages. My fix was to add the following rules to exclude.conf as mentioned above.

<locationmatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 949110
SecRuleRemoveById 980130
</locationmatch>

<locationmatch "/wp-admin/page.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 949110
SecRuleRemoveById 980130
</locationmatch>

<locationmatch "/wp-admin/post.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 949110
SecRuleRemoveById 980130
</locationmatch>

Fixing BBPress

The problem with BBPress is that posting replies didn’t always work – it was causing a server error 500. It took me a while to realise ModSec was the issue with BBPress, and unfortunately the rules are not exactly the same as for WordPress.

<locationmatch "/bb-post.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

Include the whitelist in the modsec2.conf file here – “/usr/local/apache/conf/modsec2.conf”

Include "/usr/local/apache/conf/modsec2.user.conf"

Restart apache (I used the links in my server control panel for this). And you’re done 🙂

Let me know what you think on Mastodon, or BlueSky (or Twitter X if you must).

WordPress News

The latest WordPress updates from the WPBriefs Podcast.

Related Posts

13 Jul 2016

Why My WordPress Themes Site Doesn’t Use WordPress

I’ve mentioned it before but I run a WordPress themes site called Pro Theme Design. On it, I sell premium WordPress themes – but I don’t use WordPress to power the site.This probably seems like a strange thing to do...
28 Aug 2009

Binary Moon WordPress design vIII

As I briefly mentioned on Monday, I have finally redesigned Binary Moon.I actually started redesigning about 2 years ago. Initially it was going to be an update rather than a totally new look, and I even built most of it,...
10 Jan 2017

WordPress Jetpack Admin Backup: For When There are Problems

I’m a big fan of the Jetpack WordPress plugin. I support it in all of my WordPress themes, and have even contributed to its development. However it’s not perfect, and I have recently had some issues with the new React...
27 May 2013

WordPress: 10 Years Young, What Does The Future Hold?

WordPress is now 10 years old. I started using wordpress 9 years ago – which means I joined the WordPress community early on. The reason I chose WordPress is simply because of the fabled 5 minute install process – I...
16 Jun 2017

Fixing Theme Issues with WordPress 4.8 Media Widgets

WordPress 4.8 has just been released and, whilst not a ground breaking update, it includes some nice features that make WordPress more pleasant to use.One of the main areas focused on is some new widgets. There haven’t been any new...
30 Nov 2009

WordPress Developer Cookbook

If I am totally honest there aren’t many computer books that I actually find useful, they’re generally for beginners or full of information you can get online for the low-cost of a Google search or two. WordPress Cookbook That’s why...