Exclusions for WordPress core
See original GitHub issue_Issue for tracking original pull request created by user lifeforms on date 2016-10-02 15:06:58. Link to original PR: https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/599._
HEAD is: 861f86533f03148e4f82b98b892f6c36d13cc96c BASE is: 2a2e5af457d027d029c3df57418f30a3ee3dec9e These exclusions should be pretty good for running WordPress core in paranoia level 2.
Basically, my process was:
- Exclude password parameters for all CRS rules (passwords could contain anything)
- Exclude CMS editor’s post content field from all CRS rules (if you can edit posts you should be able to insert arbitrary html / script)
- Exclude CMS editor’s post title only from SQLi rules (since this field is sensitive to XSS)
- Exclude some fields containing JSON from lots of rules (sigh); maybe we can simplify this in the future by adding a tag to these rules and exclude them at once using
ctl:ruleRemoveTargetByTag=looks-like-json
- Exclude some URL parameters from off-site RFI rule
- Exclude some technical parameters
- Don’t exclude comment posting (this might still keep some FP for commenters, but it’s dangerous; might do selective excludes in further updates)
The good thing is performance of these rules should be pretty good, because most exclusions only apply to /wp-admin/
so they can be skipped on almost all requests.
Review and testing welcome!
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top Results From Across the Web
Exclusion Defaults | WordPress.org
Hi guys,. Just a note that you may want to consider how you manage changes to the default exclusions. I have been using...
Read more >Delay JavaScript Execution compatibility exclusions
Note: For compatibility reasons, some scripts are automatically excluded in WP Rocket's core. You can check the current exclusions here, by searching for ......
Read more >Stop hurting yourself: Adding antivirus exclusions? Are you ...
And other 'process exclusions' that you shouldn't be excluding… Step 2) Do not exclude by just the Filename.exe, use the full path if...
Read more >waf_testbed/REQUEST-903.9002-WORDPRESS ... - GitHub
The OWASP ModSecurity Core Rule Set is distributed under ... These exclusions remedy false positives in a default WordPress install.
Read more >Scan Exclusions: How To Whitelist File Or Folder Paths
If you want to exclude file or folder paths from scans, you can use "Scan Exclusions" ... If a path matches any core...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
User lifeforms commented on date 2016-10-12 13:22:32:
Hey at least it’s not serialize() 😃
User lifeforms commented on date 2016-10-11 20:00:12:
pass1-text
is definitely in the request in 4.6.1. I think it’s added by its javascript widget that shows the strength of the password.