[solved] owasp – Cannot resolve Request Header Issue in ModSecurity and its affects on WordPress

CURRENT: I have the familiar issue with an internal 403 coming up… however, after exploring for the issue through all error logs, I have found that the Forbidden error is emerging from a Modsecurity issue regarding Request Headers and flagging up rulesets within, modsecurity_crs_21_protocal / OWASP_CRS.

ORIGINAL: I could not access my site at all. While I can now log in to my domain.co.uk, and navigate around – after modifying the wp-config.php from many suggestions, replacing and modifying again my .htaccess, as well as resolving a missing:

• [http/2.0] within, modsecurity_crs_10_config,

PROGRESS: The internal WordPress issue persists and shows itself when trying to configure/change the dynamics of the site, particularly, time and date settings, permalinks, editing pages by any means, and generally when I try to save any changes.

NOTES: VPS, CentOS, not – cPanel. Fresh install of WordPress, as my own is held on a shared drive.

• All directories are set to [755] and files to [644].

• I have also normalised the SQL database to be UTF8mb4_unicode.ci — in the event this could help, it has sped things up but nothing else.

EXPLORING: When exploring modsecurity.d I have browsed far and wide and found a few mods for modsecurity_crs_10_config that was proposed to work, by excluding

along with coding in

• [SecRule REQUEST_FILENAME "/wp-admin/load-scripts.php]

but nothing seems to be resolving the issue!!

====

`# (CRS new ruleset)

Rule to allow server-status requests with missing mandatory headers.

SecRule REMOTE_ADDR "@ipMatch ***.***.*.**"
"msg:'Matched 1***.***.*.** and matched server-status. Disabling rules *****1 and *****2',
phase:1,
id:1*****,
t:none,
pass,
log,
chain"
SecRule REQUEST_FILENAME "server-status$"
"t:none,
ctl:ruleRemoveById=*****1,
ctl:ruleRemoveById=*****2"

Rule to allow load-scripts.php requests without triggering rules.

SecRule REQUEST_FILENAME "/wp-admin/load-scripts.php$"
"msg:'Disabled rules *****1 and *****2 for load-scripts.php$',
phase:1,
nolog,
pass,
ctl:ruleRemoveById=*****1,
ctl:ruleRemoveById=*****2,
id:'2*****'"`

====

While remembering that there seem to be variations between server directory/file paths:
Do the above look ok, or do I need to be doing something else?
Am I in the right place (file) to be applying these rules?

Thanks in advance and I will try to answer any questions you have in as much detail as you need.

KR, John

Have tried:
I have tried updating file permissions 755 & 644, config.php,.htaccess, normalised sql database, modsec engine is on, apache status – no issues, and modified rulesets to modsecurity_crs_10_config.

Expecting:
Check if I have got the right coding/syntax in the right place/order and more importantly in the right file, or if I need to be doing something different.