WordPress Connection Issues: ModSecurity

In some cases, the connection to WordPress will not allow new blog articles to be submitted. An error such as the following is returned:

The page you are trying to access is restricted due to a security rule.

If you believe the security rule is affecting the normal operation of your website, contact your host support team and provide detailed instructions how to recreate this error. They will be able to assist you with rectifying the problem and adjusting the security configuration if needed.

What this is telling us is that the administrator of the Wordpress server is using a modsecurity module that is configured to block certain types of content. This is known to interfere with Wordpress and the use of xmlrpc.php to submit new blog content.

The warning message is telling us to ask the administrator of your Wordpress software to configure modsecurity so that it will not interfere with Wordpress.

This article talks more about configuring modsecurity…

For instance, settings such as SecRequestBodyLimit and SecRequestBodyNoFilesLimit should be set higher to accommodate a full blog post.

But in general it is recommended to disable modsecurity for the Wordpress backend folder – as explained in this excerpt below:

Excluding Hosts and Directories

Sometimes it makes sense to exclude a particular directory or a domain name if it is running an application like phpMyAdmin as modsecurity and will block SQL queries. It is also better to exclude admin backends of CMS applications like WordPress.

To disable modsecurity for a complete VirtualHost place the following

<IfModule security2_module>
    SecRuleEngine Off
</IfModule>

inside the <VirtualHost> section.

For a particular directory:

<Directory "/var/www/wp-admin">
     <IfModule security2_module>
         SecRuleEngine Off
    </IfModule>
</Directory>

It is not uncommon to run into situations where special Wordpress configurations have been made. This is the nature of open source software and the many ways to implement it. We often work with clients to make sure all of the proper settings are in place to make the integration run smoothly.