Mod_security Blocking My IP When Editing Post In WordPress

Editing post in WordPress editor, after a few minutes, my IP will be blocked by mod_security automatically, put it in the firewall denied access list, and the log is showing security concern “5 in the last 300 secs“.

lfd: (mod_security) mod_security triggered by xx.xx.xx.xx (MY/Malaysia/-): 5 in the last 300 secs

To quickly fix it, I have to restart my modem or get a new IP to access my server via SSH or WHM, then delete the blocked IP manually. Here’s my environment :

  1. WordPress 3.4.2
  2. Classic Apache + ModSecurity + CSF/LFD

After many tried and errors, I found out this may caused by the WordPress “autosave” and post revision features. When editing a post, WordPress will keep autosave the “draft” or “post revision” during the defined interval, and too often will TRIGGER the mod_security rules easily.

Here are two solutions :

1. Whitelist WordPress Action

This is suggested by my server supporter, whitelist some common WordPress actions in mod_security. Edit whitelist.conf, and put following rules inside.

/usr/local/apache/conf/modsec2/whitelist.conf
<LocationMatch "/wp-admin/page.php">
SecRuleRemoveById 300013 300014 300015 300016 300017
</LocationMatch> 

<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 300013 300014 300015 300016 300017
</LocationMatch>

<LocationMatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300013 300014 300015 300016 300017
</LocationMatch>

SecRule REQUEST_URI  "/wp-admin/async-upload.php" phase:1,nolog,allow,ctl:ruleEngine=Off
SecRule REQUEST_URI  "/wp-admin/async-upload.php" phase:2,nolog,allow,ctl:ruleEngine=Off

2. Disable Post Revisions

Disable WordPress post revisions feature, or increase its autosave interval. Edit wp-config.php, add following code:

define('AUTOSAVE_INTERVAL', 300 ); // seconds, 5 mins
define('WP_POST_REVISIONS', false );

Here’s my full sample of wp-config.php

wp-config.php
<?php
/** Enable W3 Total Cache */
define('WP_CACHE', true); // Added by W3 Total Cache

define('AUTOSAVE_INTERVAL', 300 ); // seconds, 5 mins
define('WP_POST_REVISIONS', false );

// ** MySQL settings **  //Added by WP-Cache Manager
define('DB_NAME', 'removed-for-security');    // The name of the database
define('DB_USER', 'removed-for-security');     // Your MySQL username
define('DB_PASSWORD', 'removed-for-security'); // ...and password
define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

define('AUTH_KEY', 'removed-for-security');
define('SECURE_AUTH_KEY', 'removed-for-security');
define('LOGGED_IN_KEY', 'removed-for-security');
define('NONCE_KEY', 'removed-for-security');

$table_prefix  = 'abc_';

define ('WPLANG', '');

@ini_set('log_errors','On');
@ini_set('display_errors','Off');
@ini_set('error_log','/home/username/www/php-errors.log');

/* That's all, stop editing! Happy blogging. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

Comments

comments

Καλέστε μας