I rented a barebone server, installed Centos 7, then centos web panel, with server set to apache only, using apache 2.4.4x and php 7.

I set up a wordpress site on one of the vhost, after editing for a while, while I tried to view the site on my mobile phone, I discovered that it is seeing 403 forbidden. I also checked some different computers in different site, turns out strangely seems only the browser I am using to edit the site can view it.

I am using Chrome I had been using firefox to edit in the process, I tried firefox again, it works. But after I refresh firefox to factory settings, it is also giving 403 I tried using Chrome in incognito, it does not reproduce the problem.

I have set all files to 644 and all directories to 755

and using my mobile, it doesn't matter if I am using wifi or mobile network, its all 403

I use meta refresh in index.html to redirect traffic to the wordpress site at site/

below are the excerpt of logs while 403 is returned

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:38 +0800] "GET / HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

==> example.com.error.log <==
[Sat Nov 07 08:31:39.815669 2020] [:error] [pid 18537:tid 140088488527616] [client YYY.YYY.232.181:51246] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq62SIpp9t4B3qVX2@-QAAAMU"]

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:39 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

==> example.com.error.log <==
[Sat Nov 07 08:31:45.131170 2020] [:error] [pid 18537:tid 140088293922560] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/site"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /site HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

==> example.com.error.log <==
[Sat Nov 07 08:31:45.222926 2020] [:error] [pid 18537:tid 140088403027712] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-wAAAMc"]

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:12 +0800] "GET /site/ HTTP/1.1" 200 58190 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"

1 Answers1


This is not about web browsers nor file permissions, but about false positive detections by the ModSecurity Web Application Firewall (WAF). I've just added line breaks to make it more readable:

ModSecurity: Access denied with code 403 (phase 2). 
Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" 
[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "157"] 
[id "981172"] 
[rev "2"] 
[msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] 
[data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] 
[maturity "9"] 
[accuracy "8"] 
[hostname "www.example.com"] 
[uri "/site"] 
[unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]

It's common that a CMS system like the WordPress has functionality that would normally be unwanted in web applications, but necessary for updating web page contents, e.g. adding HTML, JavaScript or even SQL. The trick is to make exceptions that enables you to use this functionality without allowing anyone to do just anything. This means the exceptions must be narrowed down to just prevent the false positives.

In the past, this required looking fo the [id "???"] [uri "/?"] pairs in the error logs and adding exceptions like:

<LocationMatch "/wp-login.php">
  SecRuleRemoveById 950007 950109 950117 950120 950901 981143 981172 981173 970901 970903

<LocationMatch "/wp-content">
  SecRuleRemoveById 950007 950120 958231 970903 981172

With more recent OWASP CRS this has become more straightforward, as you can just configure the exceptions in crs-setup.conf:

# Modify and uncomment this rule to select which application:
#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_wordpress=1,\
#  setvar:tx.crs_exclusions_nextcloud=1,\
#  setvar:tx.crs_exclusions_dokuwiki=1,\
#  setvar:tx.crs_exclusions_cpanel=1"

So, for enabling WordPress exclusion rules, this would become:

SecAction \
  setvar:tx.crs_exclusions_wordpress=1" # enable the WordPress exclusion rules
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thank you Esa, I later followed the guide https://stackoverflow.com/questions/38851522/mod-security-rule-981203-false-positive/38858866#38858866 to disable that rule instead, but yours may be a more correct solution I added the line `SecRuleUpdateTargetById 981172 !REQUEST_COOKIES:__gads` – Jimmy Chi Kin Chau Nov 07 '20 at 10:37