If you enable mod_security on your apache server and you install the base-rules, you'll probably notice the WordPress blog isn't functioning correct anymore.
To fix this, you could add the following between the <vhost>
tags in your vhost file that powers your blog:
<LocationMatch "/">
SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
SecRuleRemoveById 960015 # Request Missing an Accept Header - Allow for Google Reader
</LocationMatch>
<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
</LocationMatch>
<LocationMatch "(/wp-admin/|/wp-login.php)">
SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
</LocationMatch>
<LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
SecRuleRemoveById 950907 # System Command Injection
SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
SecRuleRemoveById 959006 # SQL Injection Attack -
SecRuleRemoveById 960008 # Request Missing a Host Header
SecRuleRemoveById 960011 # GET or HEAD requests with bodies
SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header
SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
SecRuleRemoveById phpids-21 # Detects very basic XSS probings
SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
<LocationMatch "/wp-includes/">
SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
SecRuleRemoveById 959006 # SQL Injection Attack -
SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
SecRuleRemoveById phpids-21 # Detects very basic XSS probings
SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
There are a lot more exceptions, but these work in my situation at the moment. If you have good additional suggestions for mod_security exceptions or idea’s on improving security within these rules for WordPress, contact me and I might update the post or write a follow-up….
Happy and safe sitebuilding…