mod security - mod_security2 rules for WordPress -
are there standard (?!) mod_security2 rules servers wordpress websites? want make clear i not want disable mod_security2 (it exists reason). want make life little bit easier when working wordpress installations.
i have read http://wpsecure.net/2012/01/using-mod_security-2-with-wordpress/ great hear more opinions people using mod_security2 & wordpress.
because no expert on this, there documentation read on following...
<locationmatch "/wp-admin/post.php"> secruleremovebyid 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-admin/admin-ajax.php"> secruleremovebyid 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-admin/page.php"> secruleremovebyid 300015 300016 300017 950907 950005 950006 960008 960011 960904 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-admin/options.php"> secruleremovebyid 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-admin/theme-editor.php"> secruleremovebyid 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-content/plugins/"> secruleremovebyid 300015 340151 1234234 340153 1234234 300016 300017 950907 950005 950006 960008 960011 960904 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-includes/"> secruleremovebyid 960010 960012 950006 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-content/themes/"> secruleremovebyid 340151 340153 1234234 950006 959006 secruleremovebyid phpids-17 secruleremovebyid phpids-20 secruleremovebyid phpids-21 secruleremovebyid phpids-30 secruleremovebyid phpids-61 </locationmatch> <locationmatch "/wp-cron.php"> secruleremovebyid 960015 </locationmatch> <locationmatch "/feed"> secruleremovebyid 960015 </locationmatch> <locationmatch "/category/feed"> secruleremovebyid 960015 </locationmatch>
thank you.
as far know there no public/free ruleset available, contains special rule sets wordpress. commercial rule sets wordpress available atomicorp , trustwave, did not use/test them.
the config posted intended included in configuration of apache2 webserver or in configuration of each virtual hosts, if don't want include configuration globally.
the locationmatch
directive apache2 webserver - see: http://httpd.apache.org/docs/2.2/en/mod/core.html#locationmatch
the secruleremovebyid
directive mod_security2 https://github.com/spiderlabs/modsecurity/wiki/reference-manual#wiki-secruleremovebyid disables 1 or many rules id
combining both together, first lines of configuration remove mod_security2 rules given ids urls matching "/wp-admin/post.php" (which script responsible managing blogposts in wordpress backend).
so in all, configuration disables lot of mod_security2 / owasp rules several wordpress scripts.
my experience current versions of mod_security2 , wordpress following:
for month in simular situation now. had webserver running apache2 mod_security2 , owasp core rule set. webserver hosted small wordpress sites happy, mod_security2 blocking several automated attacks against wordpress.
then had update mod_security2 latest version required update of owasp core rule set latest version. new version of owasp core rule set resulted in many mod_security2 false positives wordpress, came same article mentioned in question. after hours of debugging came conclusion, article (which 2012) seems outdated , development of both mod_security2 , wordpress has come far, shown exclude rules in article not suit new versions of mod_security2/owasp core ruleset , wordpress.
i tried create own rule set gave after many hours of work, since had disable many rules came owasp core rule set (e.g. disable many sql injection checks because of false positives), removed lot of security benefits of mod_security2 , owasp core rule set.
Comments
Post a Comment