WordPress doesn't work after enabling mod_security

Question

I have a vps on which cPanel/WHM is installed. I just enabled few rules provided by default by the cPanel team OSWAP rule set. When I enable these rules my server does not even accept new media files in WordPress as well. Additionally, if someone tries to publish a post when he/she hits the publish button it redirects them to the homepage of the website.

Can anyone help with this?

Thanks in advance.

Answer 1

You need to learn how to tweak ModSecurity for your set up before turning it live.

Have a read of this answer for more background and details on how to investigate issues: Keep ModSecurity Enabled With Symfony installation W/Cpanel & WHM

Do you just enable a few OWASP rule set? Or all of them? The OWASP rule set, although very good, will give lots of false positives by default on most websites and incorrectly block legitimate traffic- as will most rule sets.

So you need to find out which rules are blocking and why. Check the log files to see this. Then decide whether to tweak those rules so as not to block legitimate traffic - or turn those rules off completely.

As I said above, the recommendation is to run in DetectionOnly mode initially using following config:

SecRuleEngine DetectionOnly

Checking log files regularly and fine tuning rules to until you've few enough false positives that you feel comfortable blocking traffic that fails the rules.

This post walls you through an example of tweaking a rule: Extra sensitive Mod Security rules giving 403 forbidden error