Website is not available with enabled ModSecurity: 403 Forbidden – Plesk Help Center

Applicable to:

ModSecurity is installed and enabled in Tools & Settings > Web Application Firewall (ModSecurity) > On.
Website is unavailable or it's not possible to make changes in site, for example edit posts in Wordpress:

CONFIG_TEXT: 403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.
An error similar to the following can be seen Tools & Settings > Web Application Firewall (ModSecurity) > ModSecurity Log File or /var/www/vhosts/example.com/logs/error_log

CONFIG_TEXT: [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]
On Windows the rule ID and the corresponding block reports can be found at %plesk_dir%\ModSecurity\vhosts\<domain's GUID>\logs\audit.log where domain's GUID is the guid value of the psa.domains table. Can be found via CMD command:

C:\> plesk db "select id, name, guid from domains where name=example.com"

False positive detection by ModSecurity.

Log into Plesk.
Go to Domains > example.com > Web Application Firewall.
Specify the rule IDs from the error above (for example, 340465) used in the rules that need to be switched off, and click OK.

3 comments

Please sign in to leave a comment.

Have more questions? Submit a request