Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
ModSecurity is installed and enabled in Tools & Settings > Web Application Firewall (ModSecurity) > On.
-
Website is unavailable or it's not possible to make changes in site, for example edit posts in Wordpress:
CONFIG_TEXT: 403 - Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.
- WordPress Customisation page is not displayed properly in WordPress Admin Dashboard > Customize.
-
An error similar to the following can be seen Tools & Settings > Web Application Firewall (ModSecurity) > ModSecurity Log File or
/var/www/vhosts/example.com/logs/error_log
CONFIG_TEXT: [:error] [pid 31252] [client 203.0.113.2] ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "387"] [id "340465"] [rev "56"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: Remote File Injection attempt in ARGS (admin.php)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ://%{SERVER_NAME}/" against "ARGS:acf[field_56f7086726ff3][5723803c33c38][field_56f7089d26ff5]" required. [hostname "example.com.203-0-113-2.example.com"] [uri "/wp-admin/admin.php"] [unique_id "VyOBQIoQ1geo@o607dR4jwAAAAQ"]
-
On Windows the rule ID and the corresponding block reports can be found at
%plesk_dir%\ModSecurity\vhosts\<domain's GUID>\logs\audit.log
where domain's GUID is theguid
value of thepsa.domains
table. Can be found via CMD command:C:\> plesk db "select id, name, guid from domains where name=example.com"
Cause
False positive detection by ModSecurity.
Resolution
Disable the ModSecurity using ID from the error above:
- Log into Plesk.
- Go to Domains > example.com > Web Application Firewall.
- Specify the rule IDs from the error above (for example,
340465
) used in the rules that need to be switched off, and click OK.
Comments
3 comments
It's worth noting the free Atomic list wont get this fix/update until next month, right?
I'm having trouble using Plesk 12.5 UI to Switch off the Rule by ID. Is the correct ID format "[id "340465"]"?
After updating to the $200/yr paid Atomic list this issue is resolved. I think otherwise i would've had to wait 30 days for the free delayed updates to be deployed to me.
@Tony issue should be fixed by running abovementioned command
Please sign in to leave a comment.