Modsecurity crs4 rule exclusions for WordPress Rest API?

  • I am running an Ubuntu 20.04 LEMP Server with Modsecurity installed. I am using the brand new CRS4 for my ruleset. When Modsecurity is off in my wordpress health page, I get no errors. However, after turning on Modsecurity in my WP health page, I get the following errors on my WP health screen:

    The REST API is one way that WordPress and other applications communicate with the server. For example, the block editor screen relies on the REST API to display and save your posts and pages. When testing the REST API, an unexpected result was returned: 

REST API Endpoint: https://www.mcmo.is/wp-json/wp/v2/types/post?context=edit
REST API Response: (403) Forbidden

    I’m finding nothing in the modsec logs. How can I go about finding and setting the proper rule exclusions for CRS4 in Modsecurity? Please help if you are knowledgable about Modsecurity and rule exclusions.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • As you said It showed a 403 forbidden error, because of HTTP status code sent by the server when the client (user) initiating the request doesn’t have permission to access a specific page or resource.

1. Contact your host
It is a server-side error, and a recommended and safer solution for fixing the error is to contact your hosting provider. Reach out to their support team, describe the issue, and they will likely resolve it by disabling specific security rules or whitelisting the requested page.

2. Find whitelist.conf or exclude.conf file and add following code.

<locationmatch "/wp-admin/page.php">

????SecRuleRemoveById 300013

????SecRuleRemoveById 300015

????SecRuleRemoveById 300016

????SecRuleRemoveById 300017

????SecRuleRemoveById 949110

????SecRuleRemoveById 980130

</locationmatch>

<locationmatch "/wp-admin/post.php">

????SecRuleRemoveById 300013

????SecRuleRemoveById 300015

????SecRuleRemoveById 300016

????SecRuleRemoveById 300017

????SecRuleRemoveById 949110

????SecRuleRemoveById 980130

</locationmatch>

3. Disable mod_security for specific URL
With this approach, you can deactivate mod_security for particular URLs rather than for your entire site, providing a more secure option. You can define the URLs to match using regex within the <If> statement below.

<IfModule mod_security.c>?
    <If "%{REQUEST_URI} =~ m#/admin/#">
      SecFilterEngine Off SecFilterScanPOST Off?
    </If>?
</IfModule>
Viewing 1 replies (of 1 total)
  • The topic ‘Modsecurity crs4 rule exclusions for WordPress Rest API?’ is closed to new replies.