I installed mod_security in Apache and it is messing with my WordPress installation.
I installed mod_security in Apache and it is messing with my WordPress installation. How do I fix this?
I am seeing errors like:
[Fri Jun 12 01:18:46.435581 2020] [:error] [pid 4630] [client xxx.xxx.xxx.xxx:5183] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?i)(?:;|\\{|\\||\\|\\||&|&&|\\n|\\r|)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?[\\"\\\\^]*(?:s[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*(?:t[\\"\\\\^]*e[\\"\\\\^]*m[\\"\\\\^]*(?:p[\\"\\\\^]*r[\\"\\\\^]*o[\\"\\\\^]*p[\\"\\\\^]*e ..." at ARGS:nav-menu-data. [file "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "302"] [id "932115"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: & Sort found within ARGS:nav-menu-data: [{\\x22name\\x22:\\x22nav-menu-data\\x22,\\x22value\\x22:\\x22\\x22},{\\x22name\\x22:\\x22closedpostboxesnonce\\x22,\\x22value\\x22:\\x22cd67b28153\\x22},{\\x22name\\x22:\\x22meta-box-order-nonce\\x22,\\x22value\\x22:\\x221836ec9adb\\x22},{\\x22name\\x22:\\x22update-nav-menu-nonce\\x22,\\x22value\\x22:\\x228d26b98b3a\\x22},{\\x22name\\x22:\\x22_wp_http_referer\\x22,\\x22value\\x22:\\x22/wp-admin/nav-menus.php\\x22},{\\x22name\\x22:\\x22action\\x22,\\x22value\\x22:\\x22update\\x22},{\\x22name\\x22:\\x2..."] [severity "CRITICAL"] [ver "OWASP_CRS [hostname "example.com"] [uri "/wp-admin/nav-menus.php"] [unique_id "XuMQNndxNzSwm7Z44NS0UQAAABc"], referer: https://example.com/wp-admin/nav-menus.php [Fri Jun 12 01:18:46.436236 2020] [:error] [pid 4630] [client xxx.xxx.xxx.xxx:5183] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|)\\s*[\\(,@\\'\"\\s](?:[\\w'\"\\./]+/|[\\\\'\"\\^]\\w[\\\\'\"\\^]:.\\\\|[\\^\\.\\w '\"/\\\\]\\\\)?[\"\\^](?:s[\"\\^]*(?:y[\"\\^]s[\"\\^](?:t[\"\\^]*e[\"\\^]m[\"\\^](?:p[\"\\^]*r[\"\\^]*o[\"\\^]*p[\"\\^]*e ..." at ARGS:menu-item-title[37501]. [file "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "302"] [id "932115"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: & Sort found within ARGS:menu-item-title[37501]: All Pubs (Search & Sort)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "example.com"] [uri "/wp-admin/nav-menus.php"] [unique_id "XuMQNndxNzSwm7Z44NS0UQAAABc"], referer: https://example.com/wp-admin/nav-menus.php
1 Reply
The problem you are experiencing seems to be fairly common. The solution is not simple because mod_security uses a generic set of rules blocking requests that look suspiciously like code injection attacks and other nefarious activities. WordPress and many of its plugins often operate by doing unusual things with URLs that look like such shenanigans.
It is recommended that you go through your log files and override the rules that are generating false positives. You will want to verify that the requests generating the errors are coming from your known IP address so you don't accidentally whitelist any actual attacks.
You will need to rename your rules/RESPONSE-99-EXCEPTIONS.conf.example
file to remove the .example extension.
For the example above we are looking at:
... "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "302"] [id "932115"]
So we would add lines to the RESPONSE-99-EXCEPTIONS.conf file to read:
SecRuleRemoveById SecRuleRemoveByID 932115
You may also wish to take a look at the following (number 8 in particular):
Additionally it may be a good idea to review the documentation for any plugins you are using to see if they have recommendations for handling mod_security specific to that plugin (rather than disabling rules willy-nilly.