WordPress or WooCommerce, have a conflict with the OWASP CRS v4.16.0

Hi,

Does WordPress or WooCommerce, the latest versions, have a conflict with the OWASP CRS v4.16.0 rules?

Do I need to set additional rules in the global_disabled_rules.conf file?

thanks in advance!

BR
Venty

Hi,

Does WordPress or WooCommerce, the latest versions, have a conflict with the OWASP CRS v4.16.0 rules?

Do I need to set additional rules in the global_disabled_rules.conf file?

thanks in advance!

BR
Venty

...I return OWASP CRS version 4.15.0, everything works - WordPress etc., I return OWASP CRS version 4.16.0 - error 403...

Look in the logs, and it will show you what rule blocked it.

In you global_disabled_rules.conf, you should have these:

Code: [Select]

## Removed rules for CWP ##
SecRuleRemoveById 960017
SecRuleRemoveById 960015
SecRuleRemoveById 960009
#######################################################
## Removed Rules for WordPress and phpMyAdmin ##
#######################################################
## Removed rules for Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
# Needed for WordPress Cloudflare Plugin
SecRuleRemoveById 911100
## Removed rules for webftp_simple ##
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109
## Removed rules for phpMyAdmin ##
SecRuleRemoveById 981205
SecRuleRemoveById 970901
SecRuleRemoveById 960904
SecRuleRemoveById 960915
SecRuleRemoveById 981318
SecRuleRemoveById 981320
SecRuleRemoveById 981240

Look in the logs, and it will show you what rule blocked it.

In you global_disabled_rules.conf, you should have these:

Code: [Select]

## Removed rules for CWP ##
SecRuleRemoveById 960017
SecRuleRemoveById 960015
SecRuleRemoveById 960009
#######################################################
## Removed Rules for WordPress and phpMyAdmin ##
#######################################################
## Removed rules for Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
# Needed for WordPress Cloudflare Plugin
SecRuleRemoveById 911100
## Removed rules for webftp_simple ##
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109
## Removed rules for phpMyAdmin ##
SecRuleRemoveById 981205
SecRuleRemoveById 970901
SecRuleRemoveById 960904
SecRuleRemoveById 960915
SecRuleRemoveById 981318
SecRuleRemoveById 981320
SecRuleRemoveById 981240

Hi,
When I have rules version version 4.16.0, rules with ids 980170, 949110, 930130 are the ones that block, I set them in global_disabled_rules.conf, but again I can't access and install WordPress...

When I revert the rules to version 4.15.0 , things work....

and finally, the blocking seems to be not just for WordPress...

BR
Venty

You will need to look through your error logs and see which rules are triggering the blocks, then add them to the global rules file:

Code: [Select]

grep "modsecurity" /usr/local/apache/domlogs/*.error.log
Afterward, don't forget to restart httpd. You can also disable Mod Security on a user-account basis to get you through the WordPress install process.

I have Wordpress sites running fine with WooCommerce using OWASP v4.16.0

I haven't done anything special but do have the rules disabled that @Starburst linked above + a couple of extras so I'd check that first.

## Wordpress ##
SecRuleRemoveById 981172
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 981319
SecRuleRemoveById 959073
SecRuleRemoveById 958030

More for WordPress:

Code: [Select]

## Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
SecRuleRemoveById 981172
SecRuleRemoveById 981319
SecRuleRemoveById 981260
SecRuleRemoveById 973308
SecRuleRemoveById 973335
SecRuleRemoveById 973347
SecRuleRemoveById 973334
SecRuleRemoveById 950007

Thank you very much.

I've identified some extra ones since I updated to 4.16.0

Code: [Select]

## Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 980170
SecRuleRemoveById 981172
SecRuleRemoveById 981319
SecRuleRemoveById 981260
SecRuleRemoveById 973308
SecRuleRemoveById 973335
SecRuleRemoveById 973347
SecRuleRemoveById 973334
SecRuleRemoveById 959073
SecRuleRemoveById 958030
SecRuleRemoveById 950007
SecRuleRemoveById 942420
SecRuleRemoveById 942290
SecRuleRemoveById 949110

Hi,

I checked the error logs again, tested with ОWASP CRS version 4.15.0 and ОWASP CRS version 4.16.0, mod_security version 2.9.11 and again found that rules with identifiers 980170, 949110, 930130 and 932235 are the ones that block.

- ОWASP CRS version 4.15.0 blocks stop work in the WordPress panel and theme settings...
- OWASP CRS version 4.16.0 - error 403...
When disabling mod_security  - everything works normally...

I set them in global_disabled_rules.conf, but again the services are blocked...

I also noticed that the rule with ID 980170 appears very often in the error logs...

1. What should I do in this case?
2. Is it correct to enter the rule with ID 980170 in global_disabled_rules.conf ?
3. How can I reliably verify that global_disabled_rules.conf is working?

BR
Venty

I'm wondering if this isn't a plugin conflict wit the OWASP rules.

We run WordPress, and haven't had any problems mentioned.

I'm wondering if this isn't a plugin conflict wit the OWASP rules.

We run WordPress, and haven't had any problems mentioned.

Hi,

I think it's exactly like that, but not from a plugin, but rather from the theme...

I tested from different IPs, but the result I see in the error logs is the same - the same rule IDs that block several PHP files related to the AVIA editor that the theme uses...

In addition, I received messages that the IP I was using was blocked - Blocked: Permanent Block [LF_MODSEC] (IP match in csf.allow, block may not work)...
1. Now, I read that the rules starting with 980 and 949 should not be excluded entirely, maybe there is an option to set mod_security not to block the AVIA editor files and IPs?
2. IP match in csf.allow, but I assume this does not prevent me from setting rules for this IP so that it is not blocked?

BR
Venty

Try these 2 files, and let me know.

https://dl.starburst.help/ModSecurity_Misc/wordpress-rule-exclusions/

They are labeled, but
-startup goes into the /startup folder
-before goes into the /before folder

You can also remove mod sec rules by domain rather than server wide too. I also think it's a WP theme related issue as some older WP sites I host were experiencing mod sec blocks & others did not.

IN CWP UI (might require CWP Pro)

- Mod Security
- Click Domains tab
- Click Edit rules on required domain
- Click Edit config file (create file & pathway if necessary).

I’ve added some custom rule removals this way for some WP sites that were causing the blocks as I wasn’t comfortable removing server wide.

Hi,

When I put the following rules 941100, 949110, 980170 and 932235 in the file global_disabled_rules.conf, which is located in the folder /usr/local/apache/modsecurity-rules/custom-rules/before/ they are not removed ...

When I add the same rules via CWP UI / Security/Mod Security / Domains tab / Edit rules on required domain... then they are removed and the administrative panel of the site, which is on the WordPress works...

Why does this happen, isn't the file global_disabled_rules.conf for disabling the rules for all domains?

BR
Venty

There is more than 1 global_disabled_rules.conf file in the mix.

It depends how you set your modsec up (eg: which one is it pointed to).