Skip to content

Web Application Firewall Blocking Elementor

By Jasper Frumau

Was dealing with Elementor 403 issues and found out Apache Mod security was blocking things reading the logs. See logs below:

2023-09-12 06:01:35	Error	xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49		[client xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(?:\\\\b(?:call_user_func|f(?:get(?:c|s{0,1}s)|open|read|scanf|tp_(?:nb_){0,1}f{0,1}(?:ge|pu)t|write)|gz(?:compress|open|read|(?:encod|writ)e)|move_uploaded_file|read(?:dir|(?:gz){0,1}file)|s(?:candir|ession_start)|(?:bz|proc_)open)|\\\\$_(?:session|(?:ge| ..." at RESPONSE_BODY. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/16_Outgoing_FilterPHP.conf"] [line "17"] [id "214620"] [rev "1"] [msg "COMODO WAF: PHP source code leakage||staging.domain.nl|F|3"] [data "Matched Data: call_user_func found within RESPONSE_BODY: <!DOCTYPE html>\\x0d\\x0a<html lang=\\x22nl-NL\\x22>\\x0d\\x0a<head>\\x0d\\x0a<meta charset=\\x22UTF-8\\x22>\\x0d\\x0a<meta name=\\x22viewport\\x22 content=\\x22width=device-width, initial-scale=1\\x22>\\x0d\\x0a<link rel=\\x22profile\\x22 href=\\x22https://gmpg.org/xfn/11\\x22>\\x0d\\x0a\\x0d\\x0a<title>FPD products &#8211; domain</title>\\x0a<meta name='robots' content='noindex, nofollow' />\\x0a<link rel='dns-prefetch' href='//stats.wp.com' />\\x0a<lin [hostname "staging.domain.nl"] [uri "/index.php"] [unique_id "ZP-intSbLAZgSve2kf6qCgAAAM8"], referer: https://staging.domain.nl/wp-admin/admin.php?page=elementor-app&ver=3.15.3				Apache error
2023-09-12 06:01:35	Error	xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49		[client xxxx:xxxx:1001:f8dc:ec06:c64e:c4c5:9f49] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|staging.domain.nl|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "staging.domain.nl"] [uri "/index.php"] [unique_id "ZP-intSbLAZgSve2kf6qCgAAAM8"], referer: https://staging.domain.nl/wp-admin/admin.php?page=elementor-app&ver=3.15.3

So I had to add the IDs to the Web Application Firewall of Plesk to exclude them

Comments are closed for this post.