Login to WordPress or PHP application fails without any error messages, when ModSecurity is enabled in Plesk

Symptoms

• The login button for WordPress, Typo3 or other CMS in Plesk is not working: it redirects to the application login page with empty credentials fields.

• Login to PHP application using POST request fails without any error messages.

Cause

Login mechanism is broken by ModSecurity Tradeoff/Thorough modes, enabled in Plesk > Tools & Settings > Web Application Firewall > Settings.  These modes include analysis of POST data that lead to changing sending packets.

Resolution

Log into Plesk and apply one of the following solutions:

1. Switch ModSecurity mode to Fast on Plesk > Tools & Settings > Web Application Firewall (ModSecurity) > Settings: this mode does not include analysis of POST data.

2. Disable ModSecurity for a domain via Plesk > Domains > example.com > Web Application Firewall.

3. Forbid ModSecurity to access request bodies by setting SecRequestBodyAccess Off directive at Plesk > Tools & Settings > Web Application Firewall > Settings > Custom directives