In an earlier article, we published an introduction on mod security. While there are many good reasons to use mod security, this module adds complexity to any WordPress installation.
This guide is based on the official directions for WordPress to create a window so that a WordPress user can edit any post, and upload media. Still, you need to monitor the log for unwanted errors (in /var/log/apache2/error.log file). If the errors can not be managed by best efforts, unfortunately, you will have to disable ModSecurity. Apart from the log file, keep an eye on Google Analytics.
How to Install ModSecurity on Ubuntu Server
We will use the ModSecurity module with ModSecurity Core Rule Set from the Ubuntu repo:
---
1 2 3 4 5 6 7 | apt install gnupg2 software-properties-common curl wget git unzip -y # add-apt-repository ppa:ondrej/apache2 -y # apt update -y # apt install apache2 -y sudo apt-get install libapache2-mod-security2 -y a2enmod security2 sudo systemctl restart apache2 |
Open /etc/apache2/mods-enabled/security2.conf file:
1 | nano /etc/apache2/mods-enabled/security2.conf |
Uncomment:
1 2 3 | ... IncludeOptional /etc/modsecurity/*.conf ... |
Next, move/rename this file:
1 | mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf |
Open the ModSecurity configuration file:
1 | nano /etc/modsecurity/modsecurity.conf |
Add these:
1 2 | SecRuleEngine On SecAuditLogParts ABCEFHJKZ |
Restart Apache:
1 | systemctl restart apache2 |
The rules can be found here:
1 | /usr/share/modsecurity-crs |
Open the default Apache configuration file for your site:
1 | sudo nano /etc/apache2/sites-available/000-default.conf |
Find the VirtualHost closing tag at the bottom and add the following lines:
1 2 | SecRuleEngine On SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Security rule was triggered'" |
Open these files one by one:
1 2 | nano /etc/apache2/apache2.conf nano /etc/apache2/conf-enabled/security.conf |
… add or edit these two directives to the suggested values shown below:
1 2 | ServerTokens Prod ServerSignature Off |
Run a configuration test and restart Apache:
1 2 | apachectl configtest systemctl restart apache2 |
You can change the msg to whatever you prefer. Now, test your site:
1 | curl https://domain-name/?exec=/bin/bash |
You should receive an error like the one below:
1 2 3 4 5 6 7 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html> |
That completes the generic configuration of ModSecurity.
How to Configure ModSecurity on Ubuntu Server for WordPress
Open crs-setup.conf with a text editor:
1 | nano /etc/modsecurity/crs/crs-setup.conf |
Search the document with the phrase exclusions_wordpress, and you’ll find commented out settings as we have shown below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # SecRule RESecAction \ #SecAction \ # "id:900130,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.crs_exclusions_cpanel=1,\ # setvar:tx.crs_exclusions_dokuwiki=1,\ # setvar:tx.crs_exclusions_drupal=1,\ # setvar:tx.crs_exclusions_nextcloud=1,\ # setvar:tx.crs_exclusions_phpbb=1,\ # setvar:tx.crs_exclusions_phpmyadmin=1,\ # setvar:tx.crs_exclusions_wordpress=1,\ # setvar:tx.crs_exclusions_xenforo=1" |
Edit it in a way so that it looks exactly like the below example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | SecAction \ "id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_wordpress=1 # setvar:tx.crs_exclusions_cpanel=1,\ # setvar:tx.crs_exclusions_dokuwiki=1,\ # setvar:tx.crs_exclusions_drupal=1,\ # setvar:tx.crs_exclusions_nextcloud=1,\ # setvar:tx.crs_exclusions_phpbb=1,\ # setvar:tx.crs_exclusions_phpmyadmin=1,\ # setvar:tx.crs_exclusions_wordpress=1,\ # setvar:tx.crs_exclusions_xenforo=1" |
Run a configuration test:
1 | apachectl configtest |
If you face errors, correct the faulty syntax. Restart Apache if you get the Syntax OK message:
1 | systemctl restart apache2 |
Open modsecurity.conf file:
1 | nano /etc/modsecurity/modsecurity.conf |
Find the below keywords and set the limit like our example:
1 2 | SecPcreMatchLimit 1000000 SecPcreMatchLimitRecursion 1000000 |
Find line number 86 in the modsecurity.conf :
1 | nano +86 /etc/modsecurity/modsecurity.conf |
Comment out the line(s) to make like this one:
1 2 3 4 5 6 | ... # # SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ # "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible un> # PCRE Tuning ... |
Create a whitelist rule:
1 | nano /etc/apache2/conf-enabled/whitelist.conf |
Paste the below content:
1 2 3 4 5 6 7 | <LocationMatch "/wp-admin/theme-editor.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006 980130 </LocationMatch> <LocationMatch "/wp-admin/admin-ajax.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006 981173 980130 </LocationMatch> |
Run a configuration test and restart Apache:
1 2 | apachectl configtest systemctl restart apache2 |
With the above settings, you should be able to login to WordPress, edit posts and upload media. If you still face the Access Denied webpage from Apache, then open the default Apache configuration file for your site:
1 | sudo nano /etc/apache2/sites-available/000-default.conf |
Find the VirtualHost closing tag at the bottom and add comment out the following lines to make like below example:
1 2 | # SecRuleEngine On # SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Security rule was triggered'" |
Disable ModSecurity, run a configuration test, if the test passed then restart Apache:
1 2 3 | a2dismod security2 apachectl configtest sudo systemctl restart apache2 |
This will disable ModSecurity. Later find the specific issue on your setup, fix that and again enable ModSecurity.
