Editing post in WordPress editor, after a few minutes, my IP will be blocked by mod_security automatically, put it in the firewall denied access list, and the log is showing security concern “5 in the last 300 secs“.
lfd: (mod_security) mod_security triggered by xx.xx.xx.xx (MY/Malaysia/-): 5 in the last 300 secs
To quickly fix it, I have to restart my modem or get a new IP to access my server via SSH or WHM, then delete the blocked IP manually. Here’s my environment :
- WordPress 3.4.2
- Classic Apache + ModSecurity + CSF/LFD
After many tried and errors, I found out this may caused by the WordPress “autosave” and post revision features. When editing a post, WordPress will keep autosave the “draft” or “post revision” during the defined interval, and too often will TRIGGER the mod_security rules easily.
Here are two solutions :
1. Whitelist WordPress Action
This is suggested by my server supporter, whitelist some common WordPress actions in mod_security. Edit whitelist.conf, and put following rules inside.
<LocationMatch "/wp-admin/page.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> <LocationMatch "/wp-admin/post.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> <LocationMatch "/wp-admin/admin-ajax.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> SecRule REQUEST_URI "/wp-admin/async-upload.php" phase:1,nolog,allow,ctl:ruleEngine=Off SecRule REQUEST_URI "/wp-admin/async-upload.php" phase:2,nolog,allow,ctl:ruleEngine=Off
2. Disable Post Revisions
Disable WordPress post revisions feature, or increase its autosave interval. Edit wp-config.php, add following code:
define('AUTOSAVE_INTERVAL', 300 ); // seconds, 5 mins define('WP_POST_REVISIONS', false );
Here’s my full sample of wp-config.php
<?php /** Enable W3 Total Cache */ define('WP_CACHE', true); // Added by W3 Total Cache define('AUTOSAVE_INTERVAL', 300 ); // seconds, 5 mins define('WP_POST_REVISIONS', false ); // ** MySQL settings ** //Added by WP-Cache Manager define('DB_NAME', 'removed-for-security'); // The name of the database define('DB_USER', 'removed-for-security'); // Your MySQL username define('DB_PASSWORD', 'removed-for-security'); // ...and password define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value define('DB_CHARSET', 'utf8'); define('DB_COLLATE', ''); define('AUTH_KEY', 'removed-for-security'); define('SECURE_AUTH_KEY', 'removed-for-security'); define('LOGGED_IN_KEY', 'removed-for-security'); define('NONCE_KEY', 'removed-for-security'); $table_prefix = 'abc_'; define ('WPLANG', ''); @ini_set('log_errors','On'); @ini_set('display_errors','Off'); @ini_set('error_log','/home/username/www/php-errors.log'); /* That's all, stop editing! Happy blogging. */ if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/');