ModSec rule 920440 triggers a CRITICAL hit on server's own IP because of Wordpress

Benjamin D.

• March 15, 2025 14:40
• Edited

Wordpress sites will sometimes trigger 920440 because one of the Wordpress site's cron task PHP script is reading a debug.log file which rule 920440 does not like (*.log).

The issue is that ModSec registers the hit with the server's own IP address and it flags it as a CRITICAL hit too, which is even more absurd.

Should we be concerned that ModSec will blacklist itself? Is there a way to prevent ModSec from blacklisting the server's own IP address? (The only way that I can see right now is to disable rule 920440 which is of course a huge no, because it lowers the security level.  The other way would be to edit it, but WHM doesn't let us edit it since it's a vendor rule)

 

• 

  cPRex Jurassic Moderator

  • March 17, 2025 17:46

  Hey hey!  It is technically possible for ModSec to block the local IP.  It's rare, but can happen.  Would the URI exclude match work in this situation?

  https://www.liquidweb.com/blog/whitelisting-in-modsec/

  That allows you to whitelist the ModSec rule for just a specific page.

  0
• 

  Benjamin D.

  • March 19, 2025 13:47
  • Edited

  I see that this cPanel forum login procedure is still very janky.  Any idea when you guys will fix this? It takes like 3 attempts and like 12 redirects to be able to sign in on here.

  Your solution could probably work, but it's a lot of work, given the number of Wordpress sites that we host.  It's not just one, it's like 60+ sites and this changes multiple times through a year, so imagine how unpractical that would be to recompile the rules every time a new site comes in or goes away from the server.

  I guess the best solution for now would be to whitelist our server's own IP address against ModSec, which feels unsafe, but at the same time, since most of our hosted sites use PHP-FPM, then it's very unlikely that one user could read another user's files.

   

  0
• 

  cPRex Jurassic Moderator

  • March 19, 2025 15:53

  Yes, I finally have an official word that the login issues are getting resolved.  We'll be replacing the current cPanelID system with a WebProsID system that doesn't experience this issue.  I don't have any ETA on when that is happening but work is underway and we've confirmed it fixes the issue across all the cPanel areas where a login is required.

  0
• 

  Benjamin D.

  • March 19, 2025 15:58
  • Edited

  Ah, so I was right a couple years ago in thinking that cPanel is being replaced by Plesk.  The change is already happening before us.  Will you be renamed from cPRex to Plrex?

  0
• 

  cPRex Jurassic Moderator

  • March 19, 2025 17:19

  No one ever said that.

  0
• 

  Benjamin D.

  • March 19, 2025 17:21

  I predict it.

  0

Please sign in to leave a comment.