Symptoms
-
A WordPress website is not accessible, and shows incorrect content, or one of these errors:
Forbidden
You don't have permission to access this resource.
Apache Server at example.com Port 443404 Not found
-
The WooCommerce plugin is enabled on the instance, and updated to version 8.5 or later.
-
Comodo ruleset is enabled in Tools & Settings > Web Application Firewall (ModSecurity)
-
The lines below can be found in Domains > example.com > Logs:
ModSecurity: Warning. Pattern match "[[]x22',().]{10}$|b(?:unionsallsselects(?:(?:null|d+),?)+|ordersbysd{1,4}|(?:and|or)sd{4}=d{4}|waitforsdelays'd+:d+:d+'|(?:select|and|or)s(?:(?:pg_)?sleep(d+)|d+s?=s?(?:dbms_pipe.receive_message ..." at REQUEST_COOKIES:sbjs_first. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/22_SQL_SQLi.conf"] [line "66"] [id "218500"] [rev "18"] [msg "COMODO WAF: SQLmap attack detected||example.com|F|2"] [data "Matched Data: |||id=(none) found within REQUEST_COOKIES:sbjs_first: typ=organic|||src=google|||mdm=organic|||cmp=(none)|||cnt=(none)|||trm=(none)|||id=(none)"] [severity "CRITICAL"] [tag "CWAF"] [tag "SQLi"] [hostname "example.com"]
Cause
WooCommerce +8.5 triggers the web application firewall rule 218500
from the Comodo ruleset, blocking access.
Resolution
WooCommerce is working to fix this. In the meantime, the rule can be disabled to work around the problem.
- Log in to Plesk
- Disable rule
218500
on the affected domains as instructed in this guide: How to disable specific Web Application Firewall rules in Plesk