Web Application Firewall Blocking Elementor

September 13, 2023
By Jasper Frumau
DevOps

Was dealing with Elementor 403 issues and found out Apache Mod security was blocking things reading the logs. See logs below:

2023-09-12 06:01:35	Error	xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49		[client xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(?:\\\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\\\$_(?:session|(?:ge| ..." at RESPONSE_BODY. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf"] [line "17"] [id "214620"] [rev "1"] [msg "COMODO WAF: PHP source code leakage||staging.domain.nl|F|3"] [data "Matched Data: call_user_func found within RESPONSE_BODY: <!DOCTYPE html>\\x0d\\x0a<html lang=\\x22nl-NL\\x22>\\x0d\\x0a<head>\\x0d\\x0a<meta charset=\\x22UTF-8\\x22>\\x0d\\x0a<meta name=\\x22viewport\\x22 content=\\x22width=device-width, initial-scale=1\\x22>\\x0d\\x0a<link rel=\\x22profile\\x22 href=\\x22https://gmpg.org/xfn/11\\x22>\\x0d\\x0a\\x0d\\x0a<title>FPD products &#8211; domain</title>\\x0a<meta name='robots' content='noindex, nofollow' />\\x0a<link rel='dns-prefetch' href='//stats.wp.com' />\\x0a<lin [hostname "staging.domain.nl"] [uri "/index.php"] [unique_id "ZP-intSbLAZgSve2kf6qCgAAAM8"], referer: https://staging.domain.nl/wp-admin/admin.php?page=elementor-app&ver=3.15.3				Apache error
2023-09-12 06:01:35	Error	xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49		[client xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|staging.domain.nl|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "staging.domain.nl"] [uri "/index.php"] [unique_id "ZP-intSbLAZgSve2kf6qCgAAAM8"], referer: https://staging.domain.nl/wp-admin/admin.php?page=elementor-app&ver=3.15.3

So I had to add the IDs to the Web Application Firewall of Plesk to exclude them

Jasper Frumau

Jasper has been working with web frameworks and applications such as Laravel, Magento and his favorite CMS WordPress including Roots Trellis and Sage for more than a decade. He helps customers with web design and online marketing. Services provided are web design, ecommerce, SEO, content marketing. When Jasper is not coding, marketing a website, reading about the web or dreaming the internet of things he plays with his son, travels or run a few blocks.