I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.
So first of all why is this piece of code causing some servers to return 500 error
<IfModule mod_security2.c>
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 950907
SecRuleRemoveById 950005
SecRuleRemoveById 950006
SecRuleRemoveById 960008
SecRuleRemoveById 960011
SecRuleRemoveById 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
on other servers removing rules by id this way is causing 500 error:
<IfModule mod_security.c>
SecRuleRemoveById 300015
...
SecRuleRemoveById phpids-61
</IfModule>
so for now the only working thing which is not causing any server to crash is
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
but it's not enough for servers with mod_security2 !
How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?
Edit: Not only in Apache. Anywhere where .htaccess is used.
Ryan C. Barnett, ModSecurity Community Manager claimed:
Support for .htaccess files was discontinued in 2.x as it raised too many security issues.
source: http://article.gmane.org/gmane.comp.apache.mod-security.user/3065
The only possible configuration that enable on htaccess are the following (since 2.7.3) but you need to ./configure --enable-htaccess-config
:
SecRule
SecRuleRemoveByMsg
SecRuleRemoveById
SecRuleUpdateActionById
https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69