Articles in this section

See more

Website is not available with enabled ModSecurity: 403 Forbidden

Avatar
Maxim Krasikov
Updated
Follow

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • ModSecurity is installed and enabled in Tools & Settings > Web Application Firewall (ModSecurity) > On.

  • Website is unavailable or it's not possible to make changes in site, for example edit posts in Wordpress:

    CONFIG_TEXT: 403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.

  • WordPress Customisation page is not displayed properly in WordPress Admin Dashboard > Customize.

  • An error similar to the following can be seen Tools & Settings > Web Application Firewall (ModSecurity) > ModSecurity Log File or /var/www/vhosts/example.com/logs/error_log

    CONFIG_TEXT: [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]

  • On Windows the rule ID and the corresponding block reports can be found at %plesk_dir%\ModSecurity\vhosts\<domain's GUID>\logs\audit.log where domain's GUID is the guid value of the psa.domains table. Can be found via CMD command:

    C:\> plesk db "select id, name, guid from domains where name=example.com"

Cause

False positive detection by ModSecurity.

Resolution

Disable the ModSecurity using ID from the error above:

  1. Log into Plesk.
  2. Go to Domains > example.com > Web Application Firewall.
  3. Specify the rule IDs from the error above (for example, 340465) used in the rules that need to be switched off, and click OK.

Comments

3 comments

Sort by Date Votes
  • Avatar
    Tony

    It's worth noting the free Atomic list wont get this fix/update until next month, right?

    I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID.  Is the correct ID format  "[id "340465"]"?

    0
    Comment actions Permalink
  • Avatar
    Tony

    After updating to the $200/yr paid Atomic list this issue is resolved.  I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.

    0
    Comment actions Permalink
  • Avatar
    Lev Iurev

    @Tony issue should be fixed by running abovementioned command

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles