Exclusions for WordPress core

_Issue for tracking original pull request created by user lifeforms on date 2016-10-02 15:06:58. Link to original PR: https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/599._

HEAD is: 861f86533f03148e4f82b98b892f6c36d13cc96c BASE is: 2a2e5af457d027d029c3df57418f30a3ee3dec9e These exclusions should be pretty good for running WordPress core in paranoia level 2.

Basically, my process was:

• Exclude password parameters for all CRS rules (passwords could contain anything)
• Exclude CMS editor’s post content field from all CRS rules (if you can edit posts you should be able to insert arbitrary html / script)
• Exclude CMS editor’s post title only from SQLi rules (since this field is sensitive to XSS)
• Exclude some fields containing JSON from lots of rules (sigh); maybe we can simplify this in the future by adding a tag to these rules and exclude them at once using ctl:ruleRemoveTargetByTag=looks-like-json
• Exclude some URL parameters from off-site RFI rule
• Exclude some technical parameters
• Don’t exclude comment posting (this might still keep some FP for commenters, but it’s dangerous; might do selective excludes in further updates)

The good thing is performance of these rules should be pretty good, because most exclusions only apply to /wp-admin/ so they can be skipped on almost all requests.

Review and testing welcome!