WordPress vs. mod_security

Wednesday, 13 June 2007

WordPress blog posts with certain words in them can sometimes be blocked or fail mysteriously. Sometimes the offending word is silently removed from the post; other times the post fails with an HTTP error. Here’s a description of one possible cause, together with a useful workaround in case this problem happens to you. The problem could actually affect any blog platform or pretty much any other web application, not just WordPress.

If I try to write a WordPress blog post containing the word “python” followed by a space, I get an HTTP error page. The error is “403 – Forbidden”. After a bit of experimentation I have found that the “python” can be in any case, and that it’s only a problem if followed by a space.

By some coincidence, I recently read about a similar mysterious bug on the WordPress support forum. The problem seems to be caused by over-zealous mod_security rules. It looks as if my web host is using mod_security to block any HTTP POST that appears to contain a Python command. Even if it’s only me trying to write a blog post about scripting languages.

Even though my problem was with the word “python”, the forum post mentions similar problems with the words “compress” and “curl”. It just depends on what rules your web host has implemented.

I know better than to try to get my host to change their rules — it would take a bit of time, and there’s a workaround anyway. Just add some obfuscatory HTML to avoid triggering the rule. My first attempt was this:

Python 

This works fine, but unfortunately WordPress actually translates the   into a space. Later, if I edit the post and try to save, mod_security blocks it again. I have to manually replace the space with a   again.

So here’s the best solution I found.

Python<span></span>

Note that you have to be in the code editor (not the visual editor) in WordPress to enter the < and > characters. Using this trick you can talk about Python just as much as you want, and edit your posts too. And this solution is completely general; you can write com<span></span>press or cu<span></span>rl or whatever other forbidden word you like.

Tags: , ,

12 comments

You can leave a comment, or trackback from your own site.

  1. Weird. This seems to be a totally dumb rule to add into mod_security, I thought this was only filtering on GET (maybe POST?) urls. What then if someone comments with a filtered word? Does it ban the whole page? That’s dumb 🙂

    You should warn your hosting company about this issue, and by the way ask them a list of censored words. Then, you’ll make in seconds a plugin converting all “censored” into “cen<em></em>sored” or something.

  2. If you try to post a comment with the magic text in it, you simply end up with a 403 error and the comment never gets through. (I just tried it.) The filter applies only to incoming text — this includes the POST body and the URL.

  3. I had the same problem on a website I am developing hosted at http://www.aiso.net/. It was filtering out “python” with a space at the end. Considering I was trying to post a media r release which contained the word “carpet python” – it took me quite some time to figure out why on earth i was getting a 403.

    However, I contacted tech support, told them of the problem, they figured it was mod_security and removed the rule.

    Frankly though, I’d rather not have mod_security enabled in the first place. I’d rather just write secure web applications.

    David.

  4. Thanks a bunch for the tip. I was very nearly pulling out my hair wondering why the “P” word was giving me 403 errors on my blog. The span solution seems to have done the trick. 😉

  5. Thanks for the tip, I was having issues with this in the past but just couldn’t come with a better solution than writing P’ython instead :P. Will keep this one in mind :D.

  6. Thanks alot, that was very helpful.

  7. Thank you very much for the tip. I was going crazy trying to reference that British comedy troupe to did a movie about a Grail…

  8. One of my friends, was facing the similar problem and which was fixed after bypassing some mod_security rules. After further searching on this matter, I have found a good article to bypass certain rules for WordPress:

    http://blog.webhostingdiscussion.net/site-and-server-security/wordpress-and-mod_security2-issues.htm

    Thanks,

    Ritesh

  9. Thanks @Ritesh. It’s not that much of an issue for me really, but that link could be very helpful to other out there who have this problem.

  10. I had a similar issue with WordPress – 403 errors triggered by a keyword. Took ages to figure it out, but it turns out the triggering string was “/cgi/”.

  11. python fuck yea

Leave a comment