A website hosted in Plesk fails to load when ModSecurity is enabled: Access denied with code 403

Symptoms

• ModSecurity is installed and enabled at Tools & Settings > Web Application Firewall (ModSecurity) > On.

• Website is unavailable or it's not possible to make changes in site, for example edit posts in Wordpress, add products to shopping cart:

  PLESK_INFO: ERR_CONNECTION_REFUSED

  ---

  PLESK_INFO: 403 Forbidden

  ---

  PLESK_INFO: 500 Internal Server Error

  ---

  PLESK_INFO: ERR_CONNECTION_TIMED_OUT

• WordPress Customization page is not displayed properly at WordPress Admin Dashboard > Customize.

• One of the following error messages appear on the Logs page in Plesk at Domains > example.com > Logs:

  CONFIG_TEXT: ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/robots.txt"] [unique_id "XPsROH8AAQEAABEiZFcAAABC"]

  ---

  CONFIG_TEXT: ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/conf/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=5,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Possible XSS Attack Detected - HTML Tag Handler"] [tag "event-correlation"] [hostname "webmail.example.com"] [uri "/.noindex.html"] [unique_id "XDapuhD7O9GFbqsJzesp7AAAAAM"], referer: https://webmail.example.com/?_task=mail&_action=compose&_id=11404279895c36a9270c378

  ---

  CONFIG_TEXT: ModSecurity: Warning. Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/RESPONSE-950-DATA-LEAKAGES.conf"] [line "93"] [id "950100"] [rev "3"] [msg "The Application Returned a 500-Level Status Code"] [data "Matched Data: 504 found within RESPONSE_STATUS: 504"] [severity "ERROR"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [tag "paranoia-level/2"] [hostname "server.example.com"] [uri "/index.php"] [unique_id "XdNacAQXfB4uxMr8GqtZmQAAAAI"]

  ---

  CONFIG_TEXT: ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/custom/004_i360_4_custom.conf"] [line "1194"] [id "77140992"] [msg "Suspicious access attempt (WP folders)!||SC:/var/www/vhosts/examplecom./httpdocs/wp-admin/options.php||T:APACHE||MVN:REQUEST_FILENAME||MV:/wp-admin/options.php||PC:279||"] [severity "NOTICE"] [tag "i360custom"] [tag "noshow"] Warning. Pattern match "(\\\\.htaccess|.+\\\\.(pht|phtml|php\\\\d?)$)" at REQUEST_FILENAME. [hostname "example.com"] [uri "/wp-admin/options.php"] [unique_id "XmDCi5leJOHfxcUxur7kKwAAAAE"], referer: https://example.com/wp-admin/admin.php?page=elementor-tools

  ---

  CONFIG_TEXT: [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]

Cause

False-positive detection by ModSecurity.

Strict ModSecurity rule-sets (e.g. OWASP or Comodo) may block some operations on the website (such as file sharing, webmail, and some web applications, including WordPress and its plugins).

Resolution

Disable the ModSecurity using ID from the error above:

1. Log in to Plesk.

2. Go to Domains > example.com > Web Application Firewall.

3. Specify the rule IDs from the error message above (for example, 340465) in the field and click OK.