Postingan
20.32
Alhamdulillah
A few days ago there was an interesting topic that seemed worthy to be listened to and must know for wordpress lovers, the topic is about mod_security on the server are definitely a bit much effect on your website that there is activity on that server.
Previously let's first get acquainted with ModSecurity, this is one that can maintain the security web based application that you build all sorts of activities from SQL Injection, your visitors may send multiple SQL commands to experiment with the variable $ _GET or $ _POST. For example, they send commands.
DROP TABLE ......
which certainly can make you "on fire" because it could lose one of your MYSQL table from. ModSecurity works as one of the module is embedded in your web server, he acted as the first defense of the attack - an attack which may be made by your site visitors.
This module is to filter and reject all the REQUEST of web visitors based on criteria - different criteria such as CGI variables, HTTP headers, environment variables, and even the individual parameters of the script. mod_security audit log can also create, save all the details of the REQUEST in a separate file, including the contents of the POST (this audit feature can be enabled and disabled per-server or per-folder), if there are suspicious content so visitors will automatically redirect to another page that is more secure. You can see more about the documentation and other information about ModSecurity on their official site.
Well, now what's the problem with wordpress? It's just a setting on the server? Yep you are right this is just one feature on the web server to secure your site from attack - attack the idle visitor. But, in your wordpress as a website owner was regarded as a visitor, even though you are logged into wp-admin. As in some of my client who has a website from wordpress've also run into problems when the save or publish a new post in wordpress, when they save or publish the post arrived - arrive they are directed to a page "404 - Page Not Found", a unique problem right?
So the plot is actually what happens is when you insert new postings automatically from the server will check all REQUEST that you give as $ _POST, headers, etc.. If indeed you pass validation then you would qualify, but if not then as I said you will be directed to a page that is more secure (in this case my client to 404).
which certainly can make you "on fire" because it could lose one of your MYSQL table from. ModSecurity works as one of the module is embedded in your web server, he acted as the first defense of the attack - an attack which may be made by your site visitors.
This module is to filter and reject all the REQUEST of web visitors based on criteria - different criteria such as CGI variables, HTTP headers, environment variables, and even the individual parameters of the script. mod_security audit log can also create, save all the details of the REQUEST in a separate file, including the contents of the POST (this audit feature can be enabled and disabled per-server or per-folder), if there are suspicious content so visitors will automatically redirect to another page that is more secure. You can see more about the documentation and other information about ModSecurity on their official site.
Well, now what's the problem with wordpress? It's just a setting on the server? Yep you are right this is just one feature on the web server to secure your site from attack - attack the idle visitor. But, in your wordpress as a website owner was regarded as a visitor, even though you are logged into wp-admin. As in some of my client who has a website from wordpress've also run into problems when the save or publish a new post in wordpress, when they save or publish the post arrived - arrive they are directed to a page "404 - Page Not Found", a unique problem right?
So the plot is actually what happens is when you insert new postings automatically from the server will check all REQUEST that you give as $ _POST, headers, etc.. If indeed you pass validation then you would qualify, but if not then as I said you will be directed to a page that is more secure (in this case my client to 404).
Solutions and Tricks for mod_security
The best way to avoid this is to temporarily turn off mod_security when you are going to post the problem and turn it back on if it is done, if your site is on a virtual server and you can turn on and turn off mod_security through. Htaccess then you are the lucky ones :) .
To do this you simply go to the public_html folder of your server using FTP and then open the file. Your htaccess with a text editor and add the following line in the file.
The best way to avoid this is to temporarily turn off mod_security when you are going to post the problem and turn it back on if it is done, if your site is on a virtual server and you can turn on and turn off mod_security through. Htaccess then you are the lucky ones :) .
To do this you simply go to the public_html folder of your server using FTP and then open the file. Your htaccess with a text editor and add the following line in the file.
<IfModule mod_security.c> SecFilterEngine Off SecFilterPost Off </IfModule>
Then save the file. Htaccess you. After that you try to do testing first by opening the front page of your website, if no problems occur such as "Internal Server Error" means a safe and let you proceed with trying to publish or save draft on the post that had been problematic. If no problems occur and can be stored with your post well then the problem you are done. But if it does not work or you get the "Internal Server Error" you can try the following configuration:
<IfModule mod_env.c> SetEnv MODSEC_ENABLE Off PassEnv MODSEC_ENABLE </IfModule>
Try saving the configuration to a file. Htaccess you who'd then do the same experiment, if successful, could mean your problem is resolved, if it does not work then you're out of luck: D. The final way is to trace the piecemeal content of your posts and find out if there is a problematic sentence in your post.
I emphasize again, if indeed the above configuration does not work mean your hosting provider to install mod_security to protect all existing websites on their servers. If you turn off mod_security on your site and your site exposed to attacks that cause damage to your site then it is your own.
Manually browse
I emphasize again, if indeed the above configuration does not work mean your hosting provider to install mod_security to protect all existing websites on their servers. If you turn off mod_security on your site and your site exposed to attacks that cause damage to your site then it is your own.
Manually browse
If you are not able to disable mod_security by 2 configuration above? then what should be done? You can browse manually what makes the server refuses your REQUEST. You need to remember this mod_security can refuse your request as there are combinations of words that is considered suspicious and that you send to the server. You may be asking this question to hosting you, but maybe they will not give it to you. If they provide this information you may need to interpret this information so that you understand the word combinations that are rejected by your server. How to interpret what you can see mod_security documentation on their official website.
If you do not get information about the combination of words that are not allowed by your hosting then the choice of one - which is examining its own combination of what is problematic word in your post so it was rejected by your hosting. The trick is to do trial and error, the problem was trying to post entries per paragraph and try to save it to your server, if no problems adding the following paragraph, and so on until the paragraph is problematic. After this paragraph are in trouble trying to check whether there are any words or combinations of words about - about troubled by hosting you, as an example the following command in PHP:
If you do not get information about the combination of words that are not allowed by your hosting then the choice of one - which is examining its own combination of what is problematic word in your post so it was rejected by your hosting. The trick is to do trial and error, the problem was trying to post entries per paragraph and try to save it to your server, if no problems adding the following paragraph, and so on until the paragraph is problematic. After this paragraph are in trouble trying to check whether there are any words or combinations of words about - about troubled by hosting you, as an example the following command in PHP:
include_()
will be rejected by most of the server (I accidentally added an underscore to the server receives the REQUEST me: P), you can do the trick by changing one letter or character on the word problem in a way in to the HTML entity encodes you can see the list to HTML entities here, more or less like this trick if you have any other tricks you can share in the comments, may be useful;).
Source : kongcreate
Posted in: wordpress tutorials
0 komentar:
Posting Komentar