Symptoms
-
A WordPress instance site hosted on Plesk fails to load with:
403 forbidden
-
Log records similar to the examples below can be found at
/var/www/vhosts/example.com/logs/errors_log
:ModSecurity: Access denied with code 403 (phase 4). Match of "rx \ssrc=\x22https:\/\/www\.googletagmanager\.com\/ns\.html\?id=GTM|\ssrc=\x22https:\/\/w\.soundcloud\.com\/player\/\?url=" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/19_Outgoing_FilterInFrame.conf"] [line "14"] [id "214540"] [rev "5"] [msg "COMODO WAF: Possibly malicious iframe tag in output||example.com|F|3"] [data "Matched Data: <iframe src=x22https://widgets.wp.com/3rd-party-cookie-check/index.htmlx22 style=x22display:none found within TX:0: <iframe src=x22https://widgets.wp.com/3rd-party-cookie-check/index.htmlx22 style=x22display:none"] [severity "ERROR"] [tag "CWAF"] [tag "FilterInFrame"] [hostname "example.com"] [uri "/index.php"] [unique_id "Yxhf3IEsQWESe-rBcToL6AAAAEo"]
ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|example.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "example.com"] [uri "/error_docs/forbidden.html"] [unique_id "Yxhf3IEsQWESe-rBcToL6AAAAEo"]
Cause
The WordPress 3rd-party cookie-checking plugin triggers a false positive block action by ModSecurity.
Resolution
-
Switch off the security rules found on the logs by its ID(s) with this instructions.
Note: For example on the above domain logs the errors contain more than one rule ID as:
[id "214540"]
and[id "214940"]
.On this case "214540" and "214940" should be disabled.
Additional information
A website hosted in Plesk fails to load when ModSecurity is enabled