Articles in this section

See more

Login to WordPress or PHP application fails without any error messages, when ModSecurity is enabled in Plesk

Avatar
Nikita Nikushkin
Updated
Follow

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Symptoms

  • The Log In button for WordPress, Typo3 or other CMS in Plesk is not working: it redirects to application login page with empty credentials fields.

  • Login to PHP application using POST request fails without any error messages.

  • ModSecurity is enabled and its configuration set to Tradeoff or Thorough mode in Plesk > Tools & Settings > Web Application Firewall > Settings.

Cause

ModSecurity Tradeoff and Thorough modes include analysis of POST data, which breaks a login mechanism.

Resolution

Log into Plesk and apply one of the following solutions:

  • Switch ModSecurity mode to Fast on Plesk > Tools & Settings > Web Application Firewall (ModSecurity) > Settings: this mode does not include analysis of POST data.

  • Disable ModSecurity for a domain via Plesk > Domains > example.com > Web Application Firewall.

  • Forbid ModSecurity to access request bodies (Windows Server only):

    1. Connect to the server via RDP.

    2. Open the file C:\Program Files\ModSecurity IIS\modsecurity.conf in a text editor and set the SecRequestBodyAccess setting to the Off value:

      CONFIG_TEXT: SecRequestBodyAccess Off

    3. Restart IIS webserver via a command prompt:

      C:\> iisreset

Additional information

Web Application Firewall (ModSecurity)

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles