Mod security and wordpress the final config

Just re-read the title and it sounds like science fiction B movie title.. Oh well.

After running this for a while and having played with all the possible options in WordPress here is my final Mod_Security custom file.

This is saved as /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf on my system but may be different on yours.

<LocationMatch “/wp-includes/js/tinymce/plugins/spellchecker/rpc.php”>
SecRuleRemoveById 960010
SecRuleRemoveById 960012
</LocationMatch>

<LocationMatch “/wp-includes/”>
SecRuleRemoveById 960010
SecRuleRemoveById 960012
SecRuleRemoveById 950006
</LocationMatch>

<LocationMatch “/wp-admin/post.php”>
SecRuleRemoveById 950006
</LocationMatch>

<LocationMatch “wp-admin/options.php”>
SecRuleRemoveById 950006
</LocationMatch>

<LocationMatch “wp-admin/theme-editor.php”>
SecRuleRemoveById 950006
</LocationMatch>


6 Comments

  1. I would like to send this interesting info to the ModSecurity mailing list. Can you specify (and e-mail me) which version of WordPress, ModSecurity and core rules you are using?

    Thanks
    ~ Ofer

  2. This is for mod_security-2.5.0 and WordPress 2.7. I am not convinced this is the best way to do it from a security point of view but it does get people up and running quickly without disabling ModSecurity Server Wide.

    Answering this question has brought it to my attention that the repo I am using for mod_security is out of date and version 2.5.5 has a fix for one of the WordPress problems. Time to find a better repo for mod_security or start creating my own RPM’s again. Thanks Ofer.

  3. “Hmmm, your comment seems a bit spammy”
    are you kidding me? if this is wp-spamfree causing it, then it sucks too.

    GOD, get your regex’es right. root @ domain is a prefectly valid email address. shoot yourselves.

    PS: I wanted to write about the issues I have with mod_security and all my scripts (including joomla) but seems you are running a tight anti-comment system here.

  4. Hi Ciuly, you are the first person to complain about this, I have read through the source and you are correct root@* is one of the blocked email addresses and I can see why from my log.
    So far this week over 100 spam comments have been blocked from root@ addresses and as far as I can see yours is the first that wasn’t spam.

    Your last to comments got through ok, so if you ask your question I will of course do my best to answer.

  5. Mod_security is a complete waste of time since they went commercial. If you search for a good ruleset you won’t find it; unless you pay up. Thanks, but no thanks. Hardening works better for me.

  6. I am sorry to disagree with you. The core ruleset it still a valuable tool and with a few extra custom rules add a worthwhile layer to the security toolchest. I shan’t be dropping it any time soon.

1 Trackback / Pingback

  1. WordPress & Apache mod_security: Part 01 « Pablumfication

Leave a Reply

Your email address will not be published.


*