Skip to main content

Modsecurity & WordPress REST API

Rockforduk
Hi Everyone, Does anyone know how i can whitelist WordPress REST API URL's within Modsecurity for an app to communicate with a WordPress site? I don't really want to turn off Modsecurity for that account just wanted to know if this is a possibility or not? Thanks Rockforduk

Comments

3 comments

Date Votes
  • kodeslogic
    1.) Find the ModSec error in the Apache error logs with the following command (Be sure to modify the command with your IP replacing "1.2.23.5" grep ModSec /usr/local/apache/logs/error_log | grep "1.2.23.5".
     2.) The output of this command will give you a list of hits for ModSecurity from you or your developer"s IP, which you can see below. While these instructions may look intimidating, you will only want to pay attention to 3 bits of information highlighted. [QUOTE]Note: [COLOR=rgb(251, 160, 38)]Orange = client, the IP which tripped the rule [COLOR=rgb(84, 172, 210)]Blue = ID number of tripped rule within ModSec [COLOR=rgb(26, 188, 156)]Green = URI, the location where the error started from
    [QUOTE][Sat Aug 15 23:07:04.179801 2020] [:error] [pid 79117:tid 139708457797895] [client 1.2.23.5:30006] [[COLOR=rgb(251, 160, 38)]client 1.2.23.5] ModSecurity: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.user.conf"> [line "110"> [[COLOR=rgb(84, 172, 210)]id "20000332"] [hostname "1.2.23.5"> [[COLOR=rgb(0, 168, 133)]uri "/api/index.php"] [unique_id "WwjPWChxvG2DP5la-D55eQBBBDV">
    3.) Open the Easy Apache 4 configuration file: vim /etc/apache2/conf.d/whitelist.conf
    4.) Add the following text to the configuration. Remember to pay attention to the highlighted parts. Change the green "/api/index.php" to match your URI and the blue id to match the id of your error (Do not use the colon in this one). [QUOTE] SecRuleRemoveById [COLOR=rgb(61, 142, 185)]20000332
    5.) The final step for whitelisting, before you finalize the process, is to ensure you have correctly set up the whitelist. For Easy Apache 4 you will run the command: apachectl -t
    As long as the command returns "Syntax Ok" you are safe to make the whitelist active by restarting Apache. 6.) Restart Apache with the following command. /scripts/restartsrv_httpd
    You have successfully whitelisted URI in ModSec
    0
  • Rockforduk
    Hi kodeslogic, Thank you for that the issue is i need to whitelist specific URL's if that is possible as they are not triggering modsec in the sense of what you have posted they are just being blocked by default. So, the app is not communicating with the WordPress site is something within the Modsecurity rules is blocking access to the REST API within WordPress. This is why i wanted to see if their was a way to whitelist the URL's as opposed to the ID etc.
    0
  • cPanelLauren
    The advice from @kodeslogic is still not wrong in this instance. You'd need to know what specifically is causing the rule match and which rule is being matched before you can really move forward.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post