Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
ModSecurity is installed and enabled at Tools & Settings > Web Application Firewall (ModSecurity) > On.
-
A website is unavailable or it is not possible to perform operations on this website, for example, edit posts in WordPress, add products to shopping cart, etc:
PLESK_INFO: ERR_CONNECTION_REFUSED
PLESK_INFO: 403 Forbidden
PLESK_INFO: 500 Internal Server Error
PLESK_INFO: ERR_CONNECTION_TIMED_OUT
-
If the website is using Cloudflare, the following error might be shown:
PLESK_INFO: Error 521
Web server is down -
WordPress Customization page is not displayed properly at WordPress Admin Dashboard > Customize.
-
A ModSecurity error message like below appears on the Logs page in Plesk at Domains > example.com > Logs:
CONFIG_TEXT: ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/robots.txt"] [unique_id "XPsROH8AAQEAABEiZFcAAABC"]
Cause
Strict ModSecurity rule-sets (for example, OWASP or Comodo) may block some operations on the website (such as file sharing, webmail, and some web applications, including WordPress and its plugins).
Resolution
Disable the ModSecurity rule using its ID from the error message:
-
Go to Domains > example.com > Web Application Firewall
-
Specify the rule IDs from the error message on the Logs page and click OK:
Comments
4 comments
It's worth noting the free Atomic list wont get this fix/update until next month, right?
I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID. Is the correct ID format "[id "340465"]"?
After updating to the $200/yr paid Atomic list this issue is resolved. I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.
@Tony issue should be fixed by running abovementioned command
I am still getting the problem, it all started after i installed modsecurity in extensions, now my website resources are getting consumend and getting above error as well as xmlrpc thing. What would be appropriate solution for this as I am thinking would there be any conflict between wordpress security plugin and plesk modsecurity
Please sign in to leave a comment.