Home » Wordpress » mod_security2 rules for WordPress

mod_security2 rules for WordPress

Posted by: admin November 30, 2017 Leave a comment

Questions:

Are there any standard (?!) mod_security2 rules for servers with WordPress websites?
I want to make clear that I do not want to disable mod_security2 (it exists for a good reason). I just want to make my life a little bit easier when working with WordPress installations.

I have read this http://wpsecure.net/2012/01/using-mod_security-2-with-wordpress/ but it would be great to hear more opinions from people already using mod_security2 & WordPress.

Because I am no expert on this, is there any documentation to read on what exactly are the following…

<LocationMatch "/wp-admin/post.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/page.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/options.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-admin/theme-editor.php">
  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/plugins/">
  SecRuleRemoveById 300015 340151 1234234 340153 1234234 300016 300017 950907 950005 950006 960008 960011 960904 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-includes/">
  SecRuleRemoveById 960010 960012 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-content/themes/">
  SecRuleRemoveById 340151 340153 1234234 950006 959006
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61
</LocationMatch>

<LocationMatch "/wp-cron.php">
  SecRuleRemoveById 960015
</LocationMatch>

<LocationMatch "/feed">
  SecRuleRemoveById 960015
</LocationMatch>

<LocationMatch "/category/feed">
  SecRuleRemoveById 960015
</LocationMatch>

Thank you.

Answers:

As far as I know there is no public/free ruleset available, which contains special rule sets for WordPress. Commercial rule sets for wordpress are available from Atomicorp and Trustwave, but actually I did not use/test them.

The config you posted is intended to be included in the configuration of your Apache2 webserver or in the configuration of each virtual hosts, if you don’t want to include the configuration globally.

The LocationMatch is a directive from Apache2 webserver – see: http://httpd.apache.org/docs/2.2/en/mod/core.html#locationmatch

The SecRuleRemoveById is a directive from mod_security2 https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleRemoveById which disables one or many rules by their ID

Combining both together, the first lines of the configuration do remove mod_security2 rules with the given IDs for all URLs matching “/wp-admin/post.php” (which is the script that is responsible for managing blogposts in the WordPress backend).

So all in all, the configuration disables a lot of mod_security2 / OWASP rules for several WordPress scripts.

My experience with current versions of mod_security2 and WordPress are the following:

For some month I was in a simular situation as you are now. I already had a webserver running Apache2 with mod_security2 and the OWASP core rule set. The webserver only hosted some small WordPress sites an I was happy, that mod_security2 was blocking several automated attacks against WordPress.

Then I had to update mod_security2 to the latest version which also required an update of the OWASP core rule set to the latest version. The new version of the OWASP core rule set resulted in many mod_security2 false positives for WordPress, so I came to the same article as you mentioned in your question. After hours of debugging I came to the conclusion, that the article (which is from 2012) seems to be outdated and that the development of both mod_security2 and WordPress has come so far, that the shown exclude rules in the article do not suit with new versions of mod_security2/OWASP core ruleset and WordPress.

I tried to create my own rule set but actually gave up after many hours of work, since I had to disable too many rules that came with the OWASP core rule set (e.g. disable many SQL injection checks because of false positives), which actually removed a lot of the security benefits of mod_security2 and the OWASP core rule set.