• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue ModSecurity lately feels offended by Wordpress in several customer installations, is triggered by rule 222212

Bitpalast

Bitpalast

Plesk addicted!
Plesk Guru
Since yesterday we are seeing several support cases were customers are locked out of their websites by fail2ban as it reacts to a ModSecurity 403 error. That is caused by rule 222212 in Wordpress installations, for example as follows:
Code: 
[client 77.123.123.12] ModSecurity: Warning. String match "get" at REQUEST_METHOD. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/27_Apps_WPPlugin.conf"] [line "3792"] [id "222212"] [rev "2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WPPlugin"] [hostname "<domainname>"] [uri "/wp-admin/edit-comments.php"] [unique_id "Xn5TaY9yZoW9kX79a6a2gAAABBE"], referer: https://<domainname>/wp-admin/edit.php?ids=1
This seems to be occuring in several customer installations. It is always the 27_Apps_WPPlugin.conf that is complaining and always the 222212 rule. Customers are reporting that they were editing their websites while suddenly they are locked out. So actually, they are not doing anything harmful.

The solution of course is to exclude rule 222212 from Web Application Firewall (ModSecurity), but the question is: Why is this suddenly happening and who needs to do something about it? It cannot stay this way, because it means that likely a major part of Wordpress users will be affected and sooner or later lock themselves out by simply working on their websites.
 
Last edited:
Yes, I have seen that article before. However, in this case it seems that the one specific rule 222212 is suddenly triggered in many different customers' Wordpress installations where this previously was not triggered. So probably it's an issue with ModSecurity (the ruleset respectively). Maybe I'll need to find a way to let them know.
 
Is this the fix?
" If the free Comodo rule set is selected and WordPress is installed on a website, Fail2Ban can no longer block the Plesk server’s IP address after customers spend some time working in WordPress. (PPPM-11961) "
 
You must log in or register to reply here.

Similar threads

L
Resolved ModSecurity: Access denied with code 403 (phase 2). Match of "contains /wp-json/yoast/"
Replies
7
Views
370
loman
L
R
Issue Problem with web application firewall - file extension is restricted by policy
Replies
3
Views
1K
Linulex
Linulex
P
Issue my website not rendering in some countries due to modsecurity
Replies
0
Views
856
pointsriver
P
P
Question my website not rendering in some countries due to modsecurity
Replies
0
Views
736
pointsriver
P
U
Issue Error message ID 19494#0, 5467#0 and ModSecurity
Replies
3
Views
3K
Peter Debik
P
Back
Top