After my initial post about wordpress and mod_security, I decided to have a bit more of a look around to find what rules other people had needed to disable to get it working.
I found a really good post over at Gray.me.uk – Mod security and wordpress the final config which had a few additional rules mentioned, but did not solve the problems I was having initially. So I thought I would draw on what they had posted and what I have learnt to produce a fully working list of rules that need to be disabled in order for WordPress 2.9.1 and mod_security Core Rules 2.0.3 to work together.
Below follows an example vhost file the important elements of it being the LocationMatch tags containing the SecRuleRemovedById.
<VirtualHost *:80> ServerName pablumfication.co.uk ServerAlias www.pablumfication.co.uk DocumentRoot /var/www/pablumfication.co.uk <Directory /> Options +FollowSymLinks AllowOverride FileInfo </Directory> <LocationMatch "/> SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled SecRuleRemoveById 960015 # Request Missing an Accept Header - Allow for Google Reader </LocationMatch> <LocationMatch "/wp-includes/"> SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above </LocationMatch> <LocationMatch "(/wp-admin/|/wp-login.php)"> SecRuleRemoveById 950005 # Remote File Access Attempt - This rule probably doesn't need to be disabled by everyone but it stops me putting /etc/ in posts and other such linux paths. SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args </LocationMatch> <LocationMatch "(/wp-admin/post.php|/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-includes/)"> SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in args. </LocationMatch> </VirtualHost>