Using mod_security2 with WordPress

Post author:Kailash Aghera
Post published:July 8, 2024
Post category:WordPress Tutorials
Post comments:0 Comments

ModSecurity is an open source web application firewall which prevent attacks for your websites however if the rules are not configured properly, the legit URLs may be blocked by mod_security rules.

Recently I received few errors “405 Method Not Allowed” and “406 Not Acceptable” while accessing my WordPress admin area. After investigating, I found that Mod_security2 rules were causing this problem. To fix this problem, I created global whitelist configuration file (/usr/local/apache/conf/modsec2/whitelist.conf – this may be different for you depending on your installation) and bypassed some rules for WordPress admin area as follow:

<LocationMatch “/wp-admin/post.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-admin/admin-ajax.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-admin/page.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-admin/options.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-admin/theme-editor.php”>
SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch “/wp-includes/”>
SecRuleRemoveById 960010 960012 950006
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
</LocationMatch>

You can enable/disable additional rules as per your requirement.

Tags: WordPress 406 Not Acceptable error, WordPress Method Not Allowed error

You Might Also Like

WordPress One-Click installation via Softaculous

How to Login to WordPress?

How to reset your WordPress admin password?

Leave a Reply Cancel reply