questions

[solved] owasp – Cannot resolve Request Header Issue in ModSecurity and its affects on WordPress

Rate this post

CURRENT: I have the familiar issue with an internal 403 coming up… however, after exploring for the issue through all error logs, I have found that the Forbidden error is emerging from a Modsecurity issue regarding Request Headers and flagging up rulesets within, modsecurity_crs_21_protocal / OWASP_CRS.

ORIGINAL: I could not access my site at all. While I can now log in to my domain.co.uk, and navigate around – after modifying the wp-config.php from many suggestions, replacing and modifying again my .htaccess, as well as resolving a missing:

  • [http/2.0] within, modsecurity_crs_10_config,

PROGRESS: The internal WordPress issue persists and shows itself when trying to configure/change the dynamics of the site, particularly, time and date settings, permalinks, editing pages by any means, and generally when I try to save any changes.

NOTES: VPS, CentOS, not – cPanel. Fresh install of WordPress, as my own is held on a shared drive.

  • All directories are set to [755] and files to [644].

  • I have also normalised the SQL database to be UTF8mb4_unicode.ci — in the event this could help, it has sped things up but nothing else.

EXPLORING: When exploring modsecurity.d I have browsed far and wide and found a few mods for modsecurity_crs_10_config that was proposed to work, by excluding

along with coding in

  • [SecRule REQUEST_FILENAME "/wp-admin/load-scripts.php]

but nothing seems to be resolving the issue!!

====

`# (CRS new ruleset)

Rule to allow server-status requests with missing mandatory headers.

SecRule REMOTE_ADDR "@ipMatch ***.***.*.**"
"msg:'Matched 1***.***.*.** and matched server-status. Disabling rules *****1 and *****2',
phase:1,
id:1*****,
t:none,
pass,
log,
chain"
SecRule REQUEST_FILENAME "server-status$"
"t:none,
ctl:ruleRemoveById=*****1,
ctl:ruleRemoveById=*****2"

Rule to allow load-scripts.php requests without triggering rules.

SecRule REQUEST_FILENAME "/wp-admin/load-scripts.php$"
"msg:'Disabled rules *****1 and *****2 for load-scripts.php$',
phase:1,
nolog,
pass,
ctl:ruleRemoveById=*****1,
ctl:ruleRemoveById=*****2,
id:'2*****'"`

====

While remembering that there seem to be variations between server directory/file paths:
Do the above look ok, or do I need to be doing something else?
Am I in the right place (file) to be applying these rules?

Thanks in advance and I will try to answer any questions you have in as much detail as you need.

KR, John

Have tried:
I have tried updating file permissions 755 & 644, config.php,.htaccess, normalised sql database, modsec engine is on, apache status – no issues, and modified rulesets to modsecurity_crs_10_config.

Expecting:
Check if I have got the right coding/syntax in the right place/order and more importantly in the right file, or if I need to be doing something different.


Click Here to see answer

Mazi

Mazi has nine years of web development experience with the past five years spent honing his skills with WordPress plugins and themes. He's an expert in WooCommerce and is the author of the Simple Sales Tax plugin, a popular sales tax compliance solution for WooCommerce. Brett understands the importance of excellent communication, prides himself on producing high-quality code, and is comfortable working solo or as part of a team.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button