Skip to main content

$_POST requests to wp-admin/admin-post.php blocked

Comments

3 comments

  • rbairwell

    I would have a look at that site's error_log around the time of the errors to see if it gives any more details as to why - something like:

    [Sun May 21 09:xx:xx.356514 2023] [security2:error] [pid 3896702]
    [client xx.xx.xx.xx:xxx] [client xx.xx.xx.xx]
    ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at
    TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
    [line "94"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"]
    [severity "CRITICAL"]
    [ver "OWASP_CRS/3.3.4"] [tag "application-multi"] [tag "language-multi"]
    [tag "platform-multi"] [tag "attack-generic"]
    [hostname "xxxx"] [uri "/site/default/settings.php.old"] [unique_id "xxxx"]

    would indicate the request is being blocked by mod_security rules (which your description "smells like") and

    [Sat Dec 02 16:xx:xx.xx 2023] [cgi:error] [pid xxx]
    [client xx.xx.xx.xx:xxx:] AH01215: 403 (Forbidden):
    403 Forbidden: /home/xxx/public_html/xxxx, referer: https://xxx

    would indicate it was probably a .htaccess filter.

    You can find these logs via your cPanel control panel under Metrics->Errors (and also under /home/xxx/logs/ and, if you have root access - /var/log/apache2/ ).

    Why do I think it is a ModSecurity filter by your description? The fact it is a POST request to an otherwise working endpoint (you'll know if admin-ajax.php was fully blocked) and experience makes me suspect there is something in the POST data which is tripping the filter (plus a quick search using DuckDuckGo has just shown https://wordpress.org/support/topic/imagify-optimization-is-stuck/ ). If you have WHM access, you should be able to confirm this via Security Center->ModSecurity Tools where it should show the "Rule ID" that was triggered and why it was triggered. You then have the option of disabling that rule if you wanted to.

    2
  • quietFinn

    I agree it's most likely ModSecurity.

     

    1
  • Ahmed Hamdy

    thank you guys

    0

Please sign in to leave a comment.