Editing post in WordPress editor, after a few minutes, my IP will be blocked by
mod_security automatically, put it in the firewall denied access list, and the log is showing security concern “5 in the last 300 secs“.
To quickly fix it, I have to restart my modem or get a new IP to access my server via SSH or WHM, then delete the blocked IP manually. Here’s my environment :
- WordPress 3.6
- Classic Apache + ModSecurity + CSF/LFD
After many tried and errors, I found out this may caused by the WordPress “autosave” and post revision features. When editing a post, WordPress will keep autosave the “draft” or “post revision” during the defined interval, and too often will TRIGGER the
mod_security rules easily.
Here are two solutions :
1. Whitelist WordPress Action
This is suggested by my server supporter, whitelist some common WordPress actions in
whitelist.conf, and put following rules inside.
<LocationMatch "/wp-admin/page.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> <LocationMatch "/wp-admin/post.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> <LocationMatch "/wp-admin/admin-ajax.php"> SecRuleRemoveById 300013 300014 300015 300016 300017 </LocationMatch> SecRule REQUEST_URI "/wp-admin/async-upload.php" phase:1,nolog,allow,ctl:ruleEngine=Off SecRule REQUEST_URI "/wp-admin/async-upload.php" phase:2,nolog,allow,ctl:ruleEngine=Off
2. Disable Post Revisions
Disable WordPress post revisions feature, or increase its autosave interval. Edit
wp-config.php, add following code:
define('AUTOSAVE_INTERVAL', 300 ); // seconds, 5 mins define('WP_POST_REVISIONS', false );