How to disable ModSecurity rules for Drupal and Wordpress

This guide is based on various community forum posts, and hours of frustration. 

This guide is intended as a relatively easy step by step guide to:

  • Disable Apache2 ModSecurity rules for Drupal and Wordpress.
  • ModSecurity is a very powerful web application firewall but needs to be configured to work with Drupal and Wordpress.
  • The ModSecurity rules can no longer be disabled in the .htaccess file and this guide explains how to disable the rules based on the specific location of a request on the server without having to disable rules for an entire domain in the httpd.conf file, by creating a local rule exceptions file. 

Requirements:


1. View ModSecurity Audit Log File.

  • We need to first find the rules that are being triggered by ModSecurity on your webserver.
  • Open the tail end of the ModSecurity log file called modsec_audit.log to view the last entries made to the log file. 
  • For Apache2 servers it is located in /var/log/apache2/ 
  • Open the Terminal Window and enter :
sudo tail /var/log/apache2/modsec_audit.log --lines 60 | less
  • The output should look similar to this screenshot below.
  • Look for Access denied with code 403 and work backwards to find the start of the rule entry based on the log entry id. 
  • In this case the log entry ID is --00aee77f (see marked in yellow)  
  • Find the GET item - in this example it is /modern-classic (see marked in blue)
  • Find the ModSecurity rule that was triggered by the GET - in this example the rule id 958291 (see marked in purple)

2. Create a Local Exceptions ModSecurity rule file.

  • To disable / exclude certain ModSecurity rules you need to create a local exceptions file.
  • There are various places you can create this file you only need to make sure that ModSecurity loads it during startup. 
  • We are going to create a whitelist.conf file in the /etc/modsecurity/activated_rules/ directory as all files with .conf extension will be loaded during ModSecurity startup.
  • Open the Terminal Window and enter :
sudo vi /etc/modsecurity/activated_rules/whitelist.conf
  • For our example we add the location of the GET and ModSecurity rule id from step 1.
  • Add the following to your whitelist.conf file and save :
<LocationMatch "/modern-classic">
    SecRuleRemoveById 958291
</LocationMatch>
  • You need to add the location as a regex of the directory path or file that is causing the ModSecurity rule to be triggered.
  • In the following example we add the location directly to the file that triggers the ModSecurity rule.
<LocationMatch "/wp-admin/update.php">
    SecRuleRemoveById 981173
</LocationMatch>

3. Restart Webserver.

  • To the changes to take effect you need to restart you webserver.
  • For Apache2 servers, open the Terminal Window and enter :
sudo service apache2 restart

Tags: