WAF rules prevent updating a website/accessing the admin area

Issue

Cannot access the admin area, publish anything on the website, or update its components (a theme or a plugin). Imunify360 ruleset is suspected.

Environment

• Imunify360
• ModSecurity
• Any supported panel
• Any supported OS

Solution

1. To start troubleshooting, check the Imunify360 > Incidents tab for recent events that contain the domain in question. For more detailed incidents, try to search for the domain/IP through the console.log:

# grep modsec /var/log/imunify360/console.log | grep domain.com
# grep modsec /var/log/imunify360/console.log | grep 1.2.3.4

2. Compare the timestamps of the issue occurrence and the events found, then check the rules triggered for this period.

The probable faulty rule can be found by paying attention to the rule severity, status code, and the reference URL mentioned in these events. For example, user cannot access the WordPress admin receiving the 403 Forbidden error:

INFO    [2021-10-06 10:07:29,022] defence360agent.internals.the_sink: SensorIncident({'method': 'INCIDENT', 'plugin_id': 'modsec', 'attackers_ip': '11.22.33.44', 'rule': '33303', 'access_denied': True, 'severity': 2, 'tag': ['wp_core'], 'status_code': '403', 'advanced': {'headers': [['Host', 'domain.com'], ['User-Agent', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36'], ['Content-Length', '97'], ['Content-Type', 'application/x-www-form-urlencoded'], ['Cookie', [['wordpress_test_cookie', '[chr]{2}+[chr]{6}+[chr]{5}']]], ['Accept-Encoding', 'gzip'], ['Connection', 'close']], 'uri': '/wp-login.php', 'http_method': 'POST'}, 'user_id': 'c001d777c69115a6a7945d08740c8cb5a53c291f', 'message': 'IM360 WAF: WordPress Bruteforce RBL block||T:LITESPEED||MV:RBL lookup of 10-07.188.212.34.69.www-brute.v2.rbl.imunify.com._v4 succeeded.', 'name': 'IM360 WAF: WordPress Bruteforce RBL block', 'timestamp': 1633507649.0063832, 'domain': 'domain.com'}) processed in 0.0054 seconds

Here are the details to look out for:

'attackers_ip': '11.22.33.44'
'rule': '33303'
'access_denied': True
'severity': 2
'status_code': '403'
'Host', 'domain.com'
'message': 'IM360 WAF: WordPress Bruteforce RBL block

The status code and the access_denied values will witness that request resulted in the error page because of this exact rule. The severity level will show if the triggered rule is critical or serves for notice purposes. The lower value of the severity for ModSecurity, the more critical this incident is.

3. In case no suspicious activity was performed from the IP, and this case definitely looks like a false-positive, double-check if the detected rule is the cause of the problem. Go to Imunify360 Settings > Disabled Rules > Click on Add button:

​

Otherwise, it can be done via the CLI:

# imunify360-agent rules disable --id 33303 --plugin modsec --name 'WP login issue' --domains domain.com

To confirm that the rule is disabled, the following command can be used:

# imunify360-agent rules list-disabled

4. After disabling the rule, try to perform the necessary actions in the WordPress admin. In case the issue will be resolved, It is important to report a false-positive incident of a rule to the Support Team at https://cloudlinux.zendesk.com/hc/en-us/requests/new. Such requests will be checked and forwarded to the security team for further improvements.

Useful links

• https://docs.imunify360.com/dashboard/#incidents-logging
• https://github.com/SpiderLabs/ModSecurity/wiki/#severity 
• https://docs.imunify360.com/dashboard/#disabled-rules
• https://docs.imunify360.com/command_line_interface/#rules
• https://cloudlinux.zendesk.com/hc/en-us/articles/360019103520-I-cannot-access-my-WordPress-website
• https://cloudlinux.zendesk.com/hc/en-us/articles/360013049860-ModSecurity-rules-with-and-without-the-noshow-tag