Modsec & Wordpress
Hi Everyone,
I have moved to a new server and my Modsec is playing havoc with my Wordpress websites. I have whitelisted and awful lot of rules but one in particular is causing a problem. I use the Wordpress App on my phone to update my blog but Modsec is still blocking it even after i have whitelisted the rule how can i fix his please?
240335 [13/May/2016:23:41:29 +0100]
Operator EQ matched 0 at IP. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"> [line "1204"> [id "240335"> [rev "3"> [msg "COMODO WAF: XML-RPC Attack Identified from My IP Address (+1 hits since last alert) (CVE-2013-0235)">
Request: POST /xmlrpc.php
Action Description: Access denied with code 403 (phase 2).
Justification: Operator EQ matched 0 at IP.
Any help would be much appreciated on this.
Thanks
Rockforduk
-
I'm wondering if that rule is overly restrictive on xmlrpc.php. Since xmlrpc.php is so heavily attacked I would not be surprised. Also, it is possible that IP data is logged in /var/cpanel/secdatadir/ip.dir and ip.pag. If those files exist you can clear temp data by deleting them and restarting apache. This will reset counts on brute force based rules. Taking a look at the 32_Apps_OtherApps.conf file, there is a section for xmlrpc but I don't see how it accounts for legitimate requests. Mind you I'm only taking a quick look at it, however, you may need to whitelist some other rule IDs. Sadly since you're on a phone I'm assuming you don't have a static IP address. It would be safer / more preferable to do an IP based whitelist but that is probably not an option. If it were me, I would whitelist the rules 240334 and 240336 as well, clear out ip.dir / ip.pag, restart apache, and see where that gets you. 0 -
Hello, Feel free to update this thread with the outcome after trying the solution suggested by quizknows in the previous response. Thank you. 0
Please sign in to leave a comment.
Comments
2 comments