1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 10:01 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

WordPress mod security2 fix

Is this the best solution?

         

rocknbil

10:17 pm on Aug 19, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This really is a WordPress issue, I'll cross link it because I know a lot of WP users will need this.

Problem: Using the Flash Uploader in Wordpress, it hangs at "crunching" and displays the second most helpful <sarc> error ever: "Http error." (The first being a 500 error)

This issue is due to this mod_security rule, which disallows all shockwave/flash agents:

SecRule HTTP_User-Agent "^Shockwave Flash"

and prevents async-upload.php from running.

Environment: Dedicated Liquid Web server, WHM 11.30.2 (build 1) CENTOS 5.5 x86_64 - alter your steps accordingly for other servers.

Previous solution: mod_security allows you to drop per-domain/directory .htaccess directives for this fix, you'll find them all over the net. This is not supported by mod_security2 (spent most of my time finding this out . . . .)

The fix (and, is this the best solution?)

I was most concerned about updates to WHM overwriting my changes, (May still happen) and didn't want to disable this rule for any other requests to this box.

First, make sure this is the problem. :-) Navigate to Plugins->mod_security and you will see this in the mod_security logs:

/wp-admin/async-upload.php HTTP/1.1 [sitname] Access denied with code 406 (phase 2). Pattern match "^Shockwave Flash" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"]


If you see something like that, click the edit button, locate this line - there were no ID's set on this rule, so I changed it like so:

#SecRule HTTP_User-Agent "^Shockwave Flash"
SecRule HTTP_User-Agent "^Shockwave Flash" "id:345343245"

Save this in WHM, no changes have taken effect yet.

At the head of this config are a series of includes . . . . I used the custom one in hopes it doesn't get nuked on update:

Include "/usr/local/apache/conf/modsec2/custom.conf"

SSH to the box,

cd /usr/local/apache/conf/modsec2/
pico custom.conf

it's probably empty, paste in

<locationMatch "/wp-admin/async-upload.php">
SecRuleRemoveById 345343245
</LocationMatch>

CTRL+O (not zero) to save.

Reboot the server for the changes to take effect, the Flash uploader now works.

I couldn't find a way to kill this rule for async-upload.php and didn't want to turn off mod_security on the entire directory . . . did I miss a better approach?
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 10:01 pm May 1, 2026