After having a site hacked because mod_security was disabled I’ve been in search of a better way to allow WordPress to work and still have mod_security running. There are many places that recommend placing the following code in your site .htaccess file:
DO NOT DO THIS! Else you’ll likely fall victim to the same SQL Insertion hack I did that allowed the infiltrator to directly change elements of my database and redirect the site. Thankfully the damage was very minor, limited to a few WordPress configuration changes that were easily undone. It could have been much, much worse.
In my case, there were two separate issues to contend with as exhibited in the Apache server error log.
You will see a line in the server error log that contains text similar to:
mod_security: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" [severity "EMERGENCY"] [hostname "hostname"] [uri "/wp-admin/admin
In some cases the code might be other than 403 and the quoted pattern might be different. Note that the uri field will point to the location of the admin-ajax.php script in your install. There are several options to correct this false positive without completely disabling mod_security.
There are a number of references that indicate the mod_security rule is incorrect. A good summary can be found at The Team Extreme Blog. What it all boils down to is improper matching of the content type
application/x-www-form-urlencoded. The suggested rule requires that the content type match exactly. In at least one failing case, this string has been observed to have the value
application/x-www-form-urlencoded; UTF-character8. A possible solution is to remove the “$” at the end of the related phrase in the filter rule. For example, it should read:
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded|^multipart/form-data;)"
Another option would be to add the offending string to the Filter rule, for example:
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^application/x-www-form-urlencoded; UTF-character8$|^multipart/form-data;)"
My host provider made this change to the mod_security rules so I can’t report on the specific changes they made. The blog No Logo Required has some whitelisting instructions. I’ve not tried this myself so I can’t confirm the instructions.
This might work:
Once I had the filter issue resolved, I was getting a new log entry containing the following:
denied with code 403. Error processing request body: Multipart: final boundary m
issing [severity "EMERGENCY"] [hostname "hostname"] [uri "/wp-admin/admin
Some searching exposed the solution in an article at Intersice Solutions. Based on that information and a check on the modsecurity.org site, I placed the following in the .htaccess file in my wp-admin directory:
SetEnvIfNoCase Content-Type "^multipart/form-data;" "MODSEC_NOPOSTBUFFERING=Do n
ot buffer file uploads"