Plugin Author
AITpro
(@aitpro)
It is possible to exclude directories from being checked by mod_security, but that would be an all or nothing thing. ie frontend and backend. A possible scenario would be an additional check based on Referer that would indicate the origin of the Request was internal, but Referer can be easily spoofed and cannot be trusted so that is not really a good solution. A conditional check based on an internal IP address would be pretty secure.
http://serverfault.com/questions/57210/disable-modsecurity-for-a-specific-directory
In any case, since we cannot change anything that mod_security is doing, that leaves us with creating some sort of an alternative method of saving Forms. I am pretty sure both GET and POST are filtered the same. So it may just be that the only solution would be to do everything manually. mod_security right out of the box does not cause this problem. Adding particular SecRules/SecFilters does cause this problem. There is no way to create a check for SecRules/SecFilters so we are not sure how to proceed from here since logically we cannot think of a way around this except for the obvious thing to do – do everything manually and do not use any of the BPS Forms to try and save any code.
Here’s a response from my hosting provider after a few support email exchanges. Are you able to answer their questions?
————–
I’m still not finding any mod_security triggers in the Apache error logs, and the .htaccess files for both blog sites are coming up without the #WPSuperCache line (which implies that the files are actually being written). As a shot in the dark, I have run a repair on the databases (no errors for these databases show up in the mysql logs, but the lack of other evidence leads me to believe that the problem may lie there). I’m not familiar with how BulletProof Security handles its .htaccess editor. Does the plugin read the .htaccess file every time the editor is opened, or does it store the .htaccess file’s contents in the database? If so, which table is it stored in?
————–
Plugin Author
AITpro
(@aitpro)
Ask your host to disable mod_security temporarily so that you can confirm or eliminate mod_security as the cause of the issue/problem or ask them if you can use this code below in an htaccess file to disable mod_security.
Source: http://forum.ait-pro.com/forums/topic/how-to-turn-off-mod-security-mod_security-secfilterengine-off/
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
The questions are not relevant to the known mod_security issue/problem. The known issue (if that is what is occurring) is that when the BPS Forms are submitted, they use a POST method. And the POST content when the Forms are submitted is seen as some sort of attack and blocked by mod_security.
We have a testing site setup with mod_security and mod_security right out of the box (default) settings works fine without any conflicts/issues. mod_security SecRules/SecFilters are very similar to htaccess RewriteCond lines of code where you can add additional rules/filters/conditions that restrict/filter things. So if mod_security is the cause of this issue then one or more of the additional SecRules or SecFilters would be causing the issue.
Hi there:
My hosting provider has turned off mod_security and the problem still exists.
Here’s what I did to test after mo_security was disabled (and still is) :
1) In the htaccess file editor, I removed all “# WPSuperCache” lines and clicked the update button.
2) Files are updated as expected.
3) Went to security modes tab and clicked on “create secure htaccess” button.
4) went back to htaccess file editor window and the “# WPSuperCache” lines reappeared!
5) So I edited the “secure.htaccess” text field and replaced “# WPSuperCache” with “#Test 123”.
6) I went to security modes tab and clicked on “activate root folder bullet proof mode”
7) went to “htaccess editor” and clicked on “your current root access file”. The “#Test 123” line appears where expected.
8) Go back to security modes tab and clicked on “create secure htaccess” button.
9) Go back to htaccess file editor, clicked on “secure.htaccess” file editor window and BAM! the “# WPSuperCache” line returns!
FAIL.
There appears to be nothing in any of the logs either indicating a problem.
So this issue has nothing to do with mod_security.
BPS just isn’t saving back to the database. When should BPS be saving changes back to the database? It appears when I click on “update” it only updates files. That’s it, without making any calls to the database. Is there any sort of internal flag or something that needs to be set?
Unless you can advise me of another test to perform while mod_security is currently disable on the host?
Thank you.
Plugin Author
AITpro
(@aitpro)
The BPS htaccess File Editor does not save anything to the database and instead allows you to edit your htaccess files directly. Only BPS Custom Code saves custom htaccess code that you have saved in BPS Custom Code to your database. When you click the Create secure.htaccess File AutoMagic button, BPS will check your database for any custom code you have saved in BPS Custom Code and create/add it in your root .htaccess file. BPS Custom Code and the BPS htaccess File Editor are 2 completely different things/features and work differently.
Ok now do these steps:
1. Go to the BPS Custom Code tab page – NOT the htaccess File Editor tab page.
2. Look for the # WPSuperCache .htaccess code in any Custom Code text boxes and delete it.
2. Click the Save Root Custom Code button to save your Root custom code.
3. Double check all of the Custom Code text boxes and let me know if the # WPSuperCache placeholder text actually really was deleted or not.
4. Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.
5. Go to the BPS htaccess File Editor tab page and check your root htaccess file.
That did it! It seems to have worked, so I’m going to write my hosting provider to ask them to enable the mod_security again.
Here’s what I think the issue was — I never went to the “Custom Code” tab; as detailed in my steps above, I was going to the “htaccess file editor” tab.
So once my provider switches mod_Security back, I’ll try it again.
If it works, I’ll post back here.
Thank you so much for your time and effort!
This is working now with mod_security enabled. All good. 🙂
