Symptoms
-
All websites on Plesk server periodically unavailable after accessing WordPress comments or working in WordPress dashboard
-
Comodo ruleset is enabled in ModSecurity at Tools & Settings > Web Application Firewall (Modsecurity):
-
‘plesk-modsecurity’ jail is enabled at Tools & Settings > IP Address Banning (Fail2Ban) > Jails:
Cause
IP address banned by fail2ban triggered by ModSecurity rule match alert.
At Tools & Settings > Web Application Firewall (Modsecurity) > ModSecurity Log File the following message appeared:
Message: Warning. String match "get" at REQUEST_METHOD. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/27_Apps_WPPlugin.conf"] [line "4595"] [id "222212"] [rev "2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WPPlugin"]
Resolution
Solution 1. Log into Plesk and switch ModSecurity ruleset to Atomic Standard in Plesk > Tools & Settings > Web Application Firewall (ModSecurity) > Settings:
Solution 2. Disable the ModSecurity rule with id 222212 using instruction from: How to disable specific ModSecurity rules in Plesk