[Owasp-modsecurity-core-rule-set] [mod-security-users] CRS3 WordPress Exclusions

Christian Folini christian.folini at netnea.com
Sat Nov 26 09:32:14 UTC 2016


Jason,

This is an core rule set question, that you asked on the general
ModSecurity mailinglist. I'll move over to the CRS
mailinglist for a response:

The optional WordPress rule exclusions need to be activated in the
crst-setup.conf. There is not yet a blog post or detailed documentation
about it, but it basically follows the Drupal stuff, which I depicted
in this blog post this week:
https://www.netnea.com/cms/2016/11/22/securing-drupal-with-modsecurity-and-the-core-rule-set-crs3/

If you follow that documentation and apply it to WP you should be good.

What is central is, that we are only covering the core stuff so far.
We have bigger plans, but this is only a start. There is a bunch of
additional rule exclusions being discussed on github right now. So you
can expect to get a lot of improvement with subsequent point releases.

So far, you can install and publish and read articles without any
false positives. But the deeper you dig into the admin stuff, the
more likely will you encounter FPs.

Good luck - and let's move over to the CRS mailinglist.

Cheers,

Christian



On Fri, Nov 25, 2016 at 08:12:16PM +0000, Jason Mull wrote:
> Hello,
> 
> 
> 
> While reading over the mailing list post regarding the release of CRS3, I noticed mention of application-level exclusions for WordPress.  Is there anywhere I can find more info on this functionality (Where / how to enable, how to view / add exclusions)?
> 
> 
> Jason

> ------------------------------------------------------------------------------

> _______________________________________________
> mod-security-users mailing list
> mod-security-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini at netnea.com
twitter: @ChrFolini


More information about the Owasp-modsecurity-core-rule-set mailing list