Is turning off mod_security dangerous?

Security can be complex and answering your question with a simple yes or no wouldn’t help you I guess. In this specific case, Mod_Security is switched of, so that your website works as intended. So in this case you must say no and it’s adviseable to admit that in this case mod_security switched on renders your application useless.

In a more general perspective, mod_security on most servers is configured in a way for a potential, generell “aahh threads, go away!” setup. Nothing specific for known wordpress exploits at all. So commonly, mod_security is only an additional layer that lies somewhere and only the admin who configured it does really know what it is protecting and against what it is protecting.

If you want to protect yourself a bit more, protect /wp-admin/ with an additional .htaccess based password rule for example.

Thank you!

I implemented this fix and it worked. a few days later, my parent host (I have a reseller account) has done something (I assume) that is deleting my htaccess files. I have a ticket in about this and am awaiting an answer.
Is there a better fix for this yet?

This is most frustrating.

12thharmonic: If your hoster ist deleting your .htaccess files, then talk with your hoster to stop that. If your hoster is not able to host you with .htaccess files then get one that clearly states to provide that feature. I know it is the hard way, but if your hoster is not able to host you with .htaccess then this could be a sign that your hoster is of very bad quality and has got esoteric security policies. I would not consider myself comfortable with such a hoster.

I agree.
This is the first I have seen this. For three years they have been exemplary. I am awaiting more information now. If they cannot explain themselves and restore things to how they were, I will have to find a new host and move eight accounts on my reseller, and two individual accounts w/ the same host other clients have.

I will be extreemly disappointed if a three year solid relationship has to end. Oh the inconvenience! ??
I will update you all on this. especialy if I move to announce who they are. I’ll hold off for the moment.

for what it’s worth, 1&1 is great. I have not had any host-related problems. I did have some attacks related to some WP plugs, and the 1&1 support helped me find the logs.

Back on topic: You posted

So now my htaccess looks like this:

<IfModule mod_rewrite.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
SecFilterInheritance Off
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</files>
</IfModule>

That is wrong. You mixed two things up. Please see the following:

<ifmodule mod_security.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</files>
</ifmodule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

You putted multiple blocks inside each other that hat nothing to do with themselves.

Yep, I changed it after I posted here to

<IfModule mod_rewrite.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
SecFilterInheritance Off
</files>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

The way it was before, it did not work correctly. Now all seems ok.

Just keep the <ifmodule mod_security.c> mod_security rules like SecFilterEngine </ifmodule> and <IfModule mod_rewrite.c></IfModule> parts apart from each other. do not put the <files></files> section inside the rewrite part for example.

Ran into problem where mod_security2 does not allow file uploads in WordPress, the solution is in the mod_security config file

modsecurity_crs_20_protocol_violations.conf

you need to comment out the SecRule that mentions “malformed data”, this will allow the upload of chunked data via the wordpress upload