Whitelisting WordPress admin (wp-admin) in mod_security to avoid 404 on post save or post preview

Yesterday while I was writing a post about excluding a category from WordPress home page and RSS feed, I found that all of a sudden the Save and Preview buttons in the WordPress Admin are not working. I was shown a “404 Not Found” screen whenever I try to Save or Preview the post. So I was bit surprised and thought its either wordpress 2.8.4 is broken or I messed something up while hacking the category exclusion in my blog. I really had to dig in and do some googling to find out that I am seeing the 404 because of mod_security. I had mod_security installed on the server and I never got to know about this issue before because I was using ScribeFire to write posts on my blogs

Now that I have found the cause of the problem I quickly rushed over to WordPress forum to find out how other people are dealing with the issue, because I was sure that I am not the only one using mod_security. After searching on WordPress forum I found a thread “Disabling mod_security“. The thread started with the person trying to disable mod_security altogether for their blog which is off-course not a good practice. But on the same thread I saw advice from djdavedawson about how to whitelist few features of your WordPress admin in mod_security. The advantage of this approach is clear that mod_security is not disabled completely and you have some layer of security. You have only allowed or whitelisted few features that were required to post new blog entries using the WordPress admin panel.

Now a days many hosting accounts come with cPanel pre-installed as was the case with my server. Assuming that is the same case with you, just in case you have another control panel you have to find your mod_security’s whitelist.conf file your self, or either hire an expert sysadmin to do it for you. 🙂 For the cPanel server the mod_security’s whitelist.conf is located at /usr/local/apache/conf/modsec2/whitelist.conf.

  1. Open whitelist.conf with a text editor
  2. Add following rules to the file.

    <LocationMatch “/wp-admin/post.php”>
    SecRuleRemoveById 300015 300016 300017

    <LocationMatch “/wp-admin/admin-ajax.php”>
    SecRuleRemoveById 300015 300016 300017

    <LocationMatch “/wp-admin/page.php”>
    SecRuleRemoveById 300015 300016 300017

  3. Save the file
  4. Restart Apache

NOTE: Don’t use the methods that disable mod_security completely.

This is what solved my issue of 404 on post save or post preview, in case if your problem is not solved you either have to find out the cause your self or let me know in comments what exactly is the problem and what steps have you taken. If you solved the above issue by using some other method kindly share in the comments.

PS: This post has been written using WordPress admin panel to confirm everything is working fine.