I’ve looked through the forums and I’ve seen several support requests related to ModSecurity and I know I’ve had my fair share of them when saving modules with Beaver Builder. As hacks and malware infections increase and the number of Wordpress sites grow, it seems that many more hosts are using ModSec as a software firewall… great (not sarcastic)… and great (sarcastic) to the number of false positives that come with it.
So, my hosting provider, will allow us to disable rules (by contacting support) through the “LocationMatch” directive on the .conf file. The problem I’m having with Beaver Builder is that when the form submits and causes the false positive, it is submitting to the content page on the site. For instance, if I am on /contact-us/ the form post operation to update the module is being sent to /contact-us/. Thus, if I wanted to use LocationMatch to disable the rule, I would have to either do it using a regular expression (/*) for every page of the website exposing the wp-admin/wp-content/wp-includes/etc folder or I would have to do a LocationMatch for every shortlink page that I use Beaver Builder on, which can be a lot of page shortlinks.
Is this something that your developers can look into… in terms of how Beaver Builder submits the page updates that are sent back and forth to the server as each module is saved? This may help several folks may into modsec issues now or the future…
Sorry to hear about the ModSecurity issues. They can surely be a pain and have been the bain of my existence since we launched
The reason we submit requests to the current page is that BB works similarly to WordPress in that it needs the global $post_id and current $wp_query for a number of things. In hindsight we might have been able to avoid doing it that way, but at the time it felt like we were doing it the “WordPress way” as they say.
Unfortunately, reworking that now would be quite an undertaking. Could you use a regular expression that targets all frontend pages and leaves everything else alone?
Thanks for this feedback. It was helpful and gave me an idea that I submitted to my hosting company. Given that the front-end editor is used on the post itself and I use pretty permalinks, then it would seem to follow that a negative expression in locationmatch to the effect of “disable these false positive modsec rules for any url that does not contain .php”
Does that logic seem reasonable?
When I hear back from the hosting company, I will post the results here.
What if you used a WP rewrite endpoint such as “/bb-ajax/” which you posted to? You wouldn’t need to tweak any backend logic, just the _ajaxUrl function in fl-builder.js
