Mod security and wordpress the final config

6 Comments

1. I would like to send this interesting info to the ModSecurity mailing list. Can you specify (and e-mail me) which version of WordPress, ModSecurity and core rules you are using?

   Thanks
   ~ Ofer

2. This is for mod_security-2.5.0 and WordPress 2.7. I am not convinced this is the best way to do it from a security point of view but it does get people up and running quickly without disabling ModSecurity Server Wide.

   Answering this question has brought it to my attention that the repo I am using for mod_security is out of date and version 2.5.5 has a fix for one of the WordPress problems. Time to find a better repo for mod_security or start creating my own RPM’s again. Thanks Ofer.

3. “Hmmm, your comment seems a bit spammy”
   are you kidding me? if this is wp-spamfree causing it, then it sucks too.

   GOD, get your regex’es right. root @ domain is a prefectly valid email address. shoot yourselves.

   PS: I wanted to write about the issues I have with mod_security and all my scripts (including joomla) but seems you are running a tight anti-comment system here.

4. Hi Ciuly, you are the first person to complain about this, I have read through the source and you are correct root@* is one of the blocked email addresses and I can see why from my log.
   So far this week over 100 spam comments have been blocked from root@ addresses and as far as I can see yours is the first that wasn’t spam.

   Your last to comments got through ok, so if you ask your question I will of course do my best to answer.

5. Mod_security is a complete waste of time since they went commercial. If you search for a good ruleset you won’t find it; unless you pay up. Thanks, but no thanks. Hardening works better for me.

6. I am sorry to disagree with you. The core ruleset it still a valuable tool and with a few extra custom rules add a worthwhile layer to the security toolchest. I shan’t be dropping it any time soon.