I have installed Mod Security using the following instructions: <a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-modsecurity-with-apache-on-ubuntu-14-04-and-debian-8" rel="nofollow">https://www.digitalocean.com/community/tutorials/how-to-set-up-modsecurity-with-apache-on-ubuntu-14-04-and-debian-8</a>
It seems to be working fine, but I don't seem to be able to create exceptions for example for the WordPress login. I have added the following to my virtualhost file:
<Directory "/var/www/domain.com/public_html/wp-admin"> <IfModule security2_module> SecRuleEngine Off </IfModule> </Directory>
I have also tried the following:
<LocationMatch "/wp-admin"> <IfModule security2_module> SecRuleEngine Off </IfModule> </LocationMatch>
And different combinations of both.
I'm running Ubuntu 16.04.2 but I guess it's the same as for 14.04, right?Answer1:
ModSecurity runs at several different phases. The first phase runs before any Directory or Location rules are processed. So turning ModSecurity off like this just won't work as by the time Apache gets round to processing that config it will be too late.
The better way to do this is to write a ModSecurity rule to "allow" these locations:
SecRule REQUEST_URI "@beginsWith /wp-admin" "phase:1,id:12345,allow"
Or alternatively dynamically turn off ModSecurity for the rest of this request (which will have basically the same effect as above):
SecRule REQUEST_URI "@beginsWith /wp-admin" "phase:1,id:12345,ctl:ruleEngine=off"
It's important that either of these rules is defined <strong>before</strong> any other rules, to ensure the other rules don't block requests before the above rule(s) take effect.
However I would say that wp-admin is one of the most likely attack locations on a WordPress site so note sure why you would go through the hassle of installing ModSecurity and then decide not to protect that particular URL with it!