Reputation: 1
administer wordpress despite 406 blocks from modsecurity
I would like to adapt the administration urls of my wordpress site so that they work with modsecurity rules. Indeed, I use a waf which manages incoming traffic. Modsecurity is installed on waff. Also, I don't have access to this waf, just to my back server. I use apache
Upvotes: 0
Views: 205
Answers (1)
Reputation: 295
CRS dev-on-duty here. You're probably talking about OWASP Core Rule Set rules. This ruleset is often used for ModSecurity WAFs. The Core Rule Set offers a Wordpress exclusion package that should help you fight with false positives. You can activate this exclusion package in your crs-setup.conf.
However, a blocked request is normally not blocked with an HTTP status 406, but with a HTTP status 403. So it's probably not the WAF that raises your error.
I'd like to support you find out if it's the WAF that blocks you, but unfortunately, you did not include enough information for us to actually help you.
Please provide the following if possible:
- Full alert message (ideally send us the full audit log of the request)
- Web server and version or the platform you are using
- ModSecurity version
- CRS version
ATTENTION: When submitting logs, please remove all personal information like IP addresses, hostnames, passwords, etc. We'll be happy to have a look afterwards. CRS dev-on-duty.
Upvotes: 0
Related Questions
- ModSecurity breaking the Wordpress Theme editor, cannot write proper exclusion rules
- ModSecurity: Access denied with code 403
- Cannot resolve Request Header Issue in ModSecurity and its affects on WordPress
- modsecurity blocking but not logging a violation
- mod_security2 rules for WordPress
- WordPress doesn't work after enabling mod_security
- ModSecurity: Access denied with code 403 & SQL injection Detected
- How to disable mod_security and mod_security2 in .htaccess
- ModSecurity: Access denied with code 406 in apache
- Wordpress gives 403 error page on particular string