Search code examples
wordpress.htaccesscachingmod-security

modsecurity issue wordpress site loading issue

This is my first question so please bear with me.

I'm having a mode security issue on one of our sites from last few days, I just complete site and after few hours I got mode sec issue and our site is blocked. I reinstalled site next day again but after one day we are having same issue.

We are using wordpress on linux server.

After searching a bit I put below code on my .htaccess file on root folder to disable modsec 

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

<files wp-config.php>
order allow,deny
deny from all
</files>

After that site worked for one day but site is down again.

now we are having this error;

This web page is not available ERR_CONNECTION_REFUSED

Sometimes just text load I get 404 not found on for rest of assets.

When I talked to hosting guy they said site is loading properly on their end and it is working properly on entire globe.

I'm not able to ping too, but I can check my site speed test on google page speed insights properly. I can access other sites properly, my firewall, antivirus is not blocking which I've checked.

I have talked to our hosting guy they said u r having sql injection issue see mod sec log files.

Please note: I have about 4000 lines of log file I just remove common lines as limitation

Please help, and thanks in advance

    [Sat Aug 01 10:18:34 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||fuHs7JDWgpPKJJWn3rIyohyr0p8fOH3ndnb9yO76kA73fogyMMX9DBW6YZ2vsCFj||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-content/themes/landx/images/favicon.ico"] [unique_id "VbxPoWf3YKwAAKm1VsYAAAAT"]
    [Sat Aug 01 10:35:23 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||fuHs7JDWgpPKJJWn3rIyohyr0p8fOH3ndnb9yO76kA73fogyMMX9DBW6YZ2vsCFj||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-admin"] [unique_id "VbxTk2f3YKwAAO3nZtcAAAAS"]
    [Sat Aug 01 10:35:24 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||fuHs7JDWgpPKJJWn3rIyohyr0p8fOH3ndnb9yO76kA73fogyMMX9DBW6YZ2vsCFj||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-admin/"] [unique_id "VbxTlGf3YKwAAO3nZtgAAAAS"]

    [Sat Aug 01 12:00:36 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-login.php"] [unique_id "VbxnjGf3YKwAAOSijfsAAAAL"]
    [Sat Aug 01 12:00:37 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/css/login.min.css"] [unique_id "VbxnjWf3YKwAAOU@ptgAAAAx"]
    [Sat Aug 01 12:01:15 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-scripts.php"] [unique_id "Vbxns2f3YKwAAN76FGEAAAAF"]
    [Sat Aug 01 12:01:15 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-styles.php"] [unique_id "Vbxns2f3YKwAAOfO6OUAAAAI"]
    [Sat Aug 01 12:01:15 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-scripts.php"] [unique_id "Vbxns2f3YKwAAOfr6qcAAAAQ"]

    [Sat Aug 01 12:01:47 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||kdcosaYUpuxKKO3sDkfmEmXSizoN/XqD9vVzQtcDNHd1w6GMPyOMOI/ADewJtIxL||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/"] [unique_id "Vbxn02f3YKwAAOT0leQAAAAb"]
    [Sat Aug 01 12:01:49 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||kdcosaYUpuxKKO3sDkfmEmXSizoN/XqD9vVzQtcDNHd1w6GMPyOMOI/ADewJtIxL||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-content/plugins/perch-shortcodes/includes/icon-picker/css/icon-picker.css"] [unique_id "Vbxn1Wf3YKwAAOT0leUAAAAb"]
    [Sat Aug 01 12:01:49 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||kdcosaYUpuxKKO3sDkfmEmXSizoN/XqD9vVzQtcDNHd1w6GMPyOMOI/ADewJtIxL||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-content/plugins/perch-shortcodes/includes/icon-picker/fonts/genericons/genericons.css"] [unique_id "Vbxn1Wf3YKwAAOgC7KkAAAAT"]
    [Sat Aug 01 20:37:30 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||G8YMUoA8BA9GL73Si3nQmApSUTQnMBhMYMhiXf8gVXJFq6ldEWfH7jJa0YgRoQqh||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-admin/"] [unique_id "Vbzgsmf3YKwAADBaHVUAAAAZ"]
    [Sat Aug 01 20:37:32 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||G8YMUoA8BA9GL73Si3nQmApSUTQnMBhMYMhiXf8gVXJFq6ldEWfH7jJa0YgRoQqh||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-admin/"] [unique_id "VbzgtGf3YKwAADBaHVoAAAAZ"]
    [Sat Aug 01 20:37:59 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-login.php"] [unique_id "Vbzgz2f3YKwAADSlwJsAAAAR"]
    [Sat Aug 01 20:38:00 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/css/login.min.css"] [unique_id "Vbzg0Gf3YKwAACjZuQoAAAAI"]
    [Sat Aug 01 20:38:08 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-styles.php"] [unique_id "Vbzg2Gf3YKwAADLfV8UAAABC"]
    [Sat Aug 01 20:38:09 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-scripts.php"] [unique_id "Vbzg2Wf3YKwAADLmXk8AAABJ"]
    [Sat Aug 01 20:38:09 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-scripts.php"] [unique_id "Vbzg2Wf3YKwAADLoYCMAAABL"]
    [Sat Aug 01 20:38:14 2015] [error] [client 123.252.231.21] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?i:(\\\\!\\\\=|\\\\&\\\\&|\\\\|\\\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\\\s+between\\\\s+0\\\\s+and)|(?:is\\\\s+null)|(like\\\\s+null)|(?:(?:^|\\\\W)in[+\\\\s]*\\\\([\\\\s\\\\d\\"]+[^()]*\\\\))|(?:xor|<>|rlike(?:\\\\s+binary)?)|(?:regexp\\\\s+binary))" at REQUEST_COOKIES:__tawkuuid. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6184"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: || found within REQUEST_COOKIES:__tawkuuid: e||mysite.com||m1oJVSsPih8J2ec6wViZal4GWUzYifsz/dr8q6jOJwscxEBZVnOyse/Bwos9aZ8s||2"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "mysite.com"] [uri "/wp-admin/admin-ajax.php"] [unique_id "Vbzg3mf3YKwAADSGtsQAAAAF"]
    [Sat Aug 01 20:38:21 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/themes.php"] [unique_id "Vbzg5Wf3YKwAADSXuw8AAAAL"]
    [Sat Aug 01 20:38:23 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-scripts.php"] [unique_id "Vbzg52f3YKwAADSEs@0AAAAC"]
    [Sat Aug 01 20:38:26 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-styles.php"] [unique_id "Vbzg6mf3YKwAADSEs@4AAAAC"]
    [Sat Aug 01 20:38:27 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/load-scripts.php"] [unique_id "Vbzg62f3YKwAADSkv8UAAAAQ"]
    [Sat Aug 01 20:38:40 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/themes.php"] [unique_id "Vbzg@Gf3YKwAADLnX1EAAABK"]
    [Sat Aug 01 20:41:44 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-login.php"] [unique_id "VbzhsGf3YKwAADjzJCIAAAAz"]
    [Sat Aug 01 20:41:44 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-login.php"] [unique_id "VbzhsGf3YKwAADj8KmcAAAA8"]
    [Sat Aug 01 20:41:45 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/css/login.min.css"] [unique_id "VbzhsWf3YKwAADjwIksAAAAw"]
    [Sat Aug 01 20:41:46 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-login.php"] [unique_id "Vbzhsmf3YKwAADj8KmsAAAA8"]
    [Sat Aug 01 20:41:48 2015] [error] [client 123.252.231.21] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "6033"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "mysite.com"] [uri "/wp-admin/css/login.min.css"] [unique_id "VbzhtGf3YKwAADj7KbMAAAA7"]
Solution

  • Those are the old ways of turning off ModSecurity v1 and they don't work with v2, which I guess you're host is using as v1 is very, very old now and also because you are using the latest OWASP rules (2.2.9) which aren't compatible with v1.

    To remove the individual rules for ModSecurity v2, you can use the following in your .htaccess file (note the different IfModule statement):

    <IfModule mod_security2.c>
  SecRuleRemoveById 981319
  SecRuleRemoveById 981143
</IfModule>

    To turn ModSecurity off completely you should use:

    <IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>

    However that would mean you'd lose all the security protection that it offers, so I would recommend the first option. But you do need to keep an eye on this in case there are any future false positives like this.