$_POST requests to wp-admin/admin-post.php blocked
I'm using Imagify Tools (WordPress Plugin), and I'm receiving many errors:
$_POST requests to wp-admin/admin-post.php blocked
Check this screenshot: https://prnt.sc/VtcaiJAoIa9V
How to enable these requests from my Server or WHM?
-
I would have a look at that site's error_log around the time of the errors to see if it gives any more details as to why - something like:
[Sun May 21 09:xx:xx.356514 2023] [security2:error] [pid 3896702]
[client xx.xx.xx.xx:xxx] [client xx.xx.xx.xx]
ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at
TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"]
[severity "CRITICAL"]
[ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"]
[tag "platform-multi"] [tag "attack-generic"]
[hostname "xxxx"] [uri "/site/default/settings.php.old"] [unique_id "xxxx"]would indicate the request is being blocked by mod_security rules (which your description "smells like") and
[Sat Dec 02 16:xx:xx.xx 2023] [cgi:error] [pid xxx]
[client xx.xx.xx.xx:xxx:] AH01215: 403 (Forbidden):
403 Forbidden: /home/xxx/public_html/xxxx, referer: https://xxxwould indicate it was probably a .htaccess filter.
You can find these logs via your cPanel control panel under Metrics->Errors (and also under /home/xxx/logs/ and, if you have root access - /var/log/apache2/ ).
Why do I think it is a ModSecurity filter by your description? The fact it is a POST request to an otherwise working endpoint (you'll know if admin-ajax.php was fully blocked) and experience makes me suspect there is something in the POST data which is tripping the filter (plus a quick search using DuckDuckGo has just shown https://wordpress.org/support/topic/imagify-optimization-is-stuck/ ). If you have WHM access, you should be able to confirm this via Security Center->ModSecurity Tools where it should show the "Rule ID" that was triggered and why it was triggered. You then have the option of disabling that rule if you wanted to.
2 -
I agree it's most likely ModSecurity.
1 -
thank you guys
0
Please sign in to leave a comment.
Comments
3 comments