I like to keep my server as secure as possible, but WordPress HATES ModSecurity. Here are a list of rules to make your life 1,000x easier if you’re trying to configure Mod Security to work with WordPress:

 

<locationmatch “/wp-admin/async-upload.php”>
SecRuleRemoveById 200004
</locationmatch>

<locationmatch “/wp-admin/post.php”>
SecRuleRemoveById 932130
SecRuleRemoveById 932140
SecRuleRemoveById 941100
SecRuleRemoveById 941150
SecRuleRemoveById 941160
SecRuleRemoveById 941200
SecRuleRemoveById 941310
SecRuleRemoveById 941350
SecRuleRemoveById 942250
SecRuleRemoveById 949110
SecRuleRemoveById 980130
SecRuleRemoveById 941100
SecRuleRemoveById 949110
SecRuleRemoveById 980130
SecRuleRemoveById 932150
SecRuleRemoveById 944140
SecRuleRemoveById 932150
SecRuleRemoveById 941140
SecRuleRemoveById 942190
SecRuleRemoveById 932115
SecRuleRemoveById 932110
</locationmatch>

<locationmatch “/wp-content/themes/uncode/core/inc/uncode-ajax.php”>
SecRuleRemoveById 941160
</locationmatch>

<locationmatch “/xmlrpc.php”>
SecRuleRemoveById 933100
SecRuleRemoveById 941100
SecRuleRemoveById 949110
SecRuleRemoveById 980130
SecRuleRemoveById 933100
SecRuleRemoveById 941160
SecRuleRemoveById 941350
</locationmatch>

<locationmatch “/wp-admin/admin-ajax.php”>
SecRuleRemoveById 932130
SecRuleRemoveById 932140
SecRuleRemoveById 941100
SecRuleRemoveById 941150
SecRuleRemoveById 941160
SecRuleRemoveById 941200
SecRuleRemoveById 941310
SecRuleRemoveById 941350
SecRuleRemoveById 942250
SecRuleRemoveById 932150
SecRuleRemoveById 941140
SecRuleRemoveById 942190
</locationmatch>

<locationmatch /wp-admin/options.php>
SecRuleRemoveById 932150
SecRuleRemoveById 949110
SecRuleRemoveById 980130
SecRuleRemoveById 941120
</locationmatch>

Add these to exclude.conf in your base Mod Security Configuration directory (I keep mine at “/etc/modsecurity/” but yours could be anywhere; try whereis modsecurity and see if it returns the location)