View file File name : REQUEST-00-LOCAL-WHITELIST.conf Content :#Whitelist Piwik from RFI checks SecRule REQUEST_URI "@pm /piwik.php" "id:1001, phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-rfi" #autodiscover.xml don't block known Mail UAs. Don't want to F2B customers SecRule REQUEST_HEADERS:User-Agent "@pm Office MacOutlook Android-SAMSUNG-SM-" "id:1002,pass,nolog,ctl:ruleRemoveByTag=attack-sqli" SecRule REQUEST_URI "@pm /autodiscover/autodiscover.xml" "id:1003,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveById=941100-941380" #wc-ajax exempt from SQLi SecRule REQUEST_URI "@pm /?wc-ajax" "id:1004,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli" # Whitelist for ManageWP Requests SecRule REQUEST_URI "@pm wp-load.php" "chain,id:1005,pass,nolog,ctl:ruleRemoveByTag=attack-sqli" SecRule ARGS_NAMES "mwprid" # Wordpress admin-ajax and admin exempt from attack rules. SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "id:1006,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-generic" SecRule REQUEST_URI "@pm /wp-admin/admin.php" "id:1007,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-lfi,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-generic" SecRule REQUEST_URI "@pm /wp-admin/post.php" "id:1009,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-lfi,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-generic" SecRule REQUEST_URI "@pm /wp-admin/options.php" "id:1010,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-lfi,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-generic" SecRule REQUEST_URI "@pm /wp-admin/edit.php" "id:1015,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-lfi,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-rce,ctl:ruleRemoveByTag=attack-generic" #Wordpress whitelist aliexpress wp plugin SecRule REQUEST_URI "@pm /wp-json/woocommerce_aliexpress_dropship/" "id:1008,ctl:ruleRemoveById=1990070" #WordPress WhiteLists vs. RCE SecRule REQUEST_HEADERS:Referer "@pm /options-general.php" "id:1011, phase:1,pass,ctl:ruleRemoveByTag=attack-rce" SecRule REQUEST_HEADERS:Referer "@pm /admin.php?page=layerslider&action" "id:1012, phase:1,pass,ctl:ruleRemoveByTag=attack-rce" SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "chain,id:1013,phase:2,pass,ctl:ruleRemovebyTag=attack-rce" SecRule ARGS:query "@pm timeout" SecRule REQUEST_URI "@pm /adm/index.php?sid=" "chain,id:1014,phase:1,pass,ctl:ruleRemovebyTag=attack-lfi" SecRule REQUEST_METHOD "@streq POST" #WordPress Whitelist vs PHP SecRule REQUEST_HEADERS:Referer "@pm /wp-admin/admin.php?page=gf_edit_forms" "id:1016, phase:1,pass,ctl:ruleRemoveByTag=attack-xss" SecRule ARGS_NAMES "@pm jform[" "id:1017, phase:1,pass,ctl:ruleRemoveByTag=attack-xss" SecRule REQUEST_HEADERS:User-Agent "@pm SFDC-Callout/" "id:1018, phase:1, pass , ctl:ruleRemoveByTag=attack-xss" SecRule ARGS_NAMES "@pm mepr-emails" "id:1019, phase:1, pass, ctl:ruleRemoveByTag=attack-xss" #Moodle WhiteList AutoSave from XSS SecRule REQUEST_URI "@pm /lib/editor/atto/autosave-ajax.php" "chain,id:1020,phase:1,pass,ctl:ruleRemoveByTag=attack-xss" SecRule REQUEST_METHOD "@streq POST" #Oxygen Editor WhiteList SecRule REQUEST_URI "@pm ct_save_components_tree" "chain,id:1021,phase:1,allow,ctl:ruleEngine=Off" SecRule REQUEST_METHOD "@streq POST" #WordPress PHP Injection in editor SecRule REQUEST_URI "@pm /wp-admin/admin-ajax.php" "id:1022,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-injection-php" SecRule REQUEST_URI "@pm /update-zone" "id:1023,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli" #WordPress Contact Form 7 Whitelist SecRule REQUEST_URI "@pm /wp-json/contact-form-7" "id:1024,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-injection-php" #Joomla Whitelist administrator page /administrator/index.php SecRule REQUEST_URI "@pm /administrator/index.php" "id:1025,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-rce" #Opencart whitelist administrator page SecRule REQUEST_URI "@pm /admin/index.php" "id:1026,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-rce" #Mercurial Repo whitelist publishing SecRule REQUEST_URI "@pm /hgweb.cgi" "id:1027,phase:1,pass,nolog,ctl:ruleEngine=Off" #ProcessWire whitelist admin edit page SecRule REQUEST_URI "@pm /login/page/edit/" "id:1028,phase:1,pass,nolog,ctl:ruleEngine=Off" #DokuWiki whitelist upload SecRule REQUEST_URI "@pm /exe/ajax.php" "id:1029,phase:1,pass,nolog,ctl:ruleEngine=Off" #Next/Owncloud dav files whitelist SecRule REQUEST_URI "@pm /remote.php/dav/files/" "id:1030,phase:1,pass,nolog,ctl:ruleEngine=Off" #Next/Owncloud dav uploads whitelist SecRule REQUEST_URI "@pm /remote.php/dav/uploads/" "id:1031,phase:1,pass,nolog,ctl:ruleEngine=Off" #Next/Owncloud dav calendars whitelist SecRule REQUEST_URI "@pm /remote.php/dav/calendars/" "id:1032,phase:1,pass,nolog,ctl:ruleEngine=Off" #Processwire CMS page edit whitelist SecRule REQUEST_URI "@pm /processwire/page/edit/" "id:1033,phase:1,pass,nolog,ctl:ruleEngine=Off" #Exclude Wordpress Cookie: wordpress_sec SecRule REQUEST_COOKIES:wordpress_sec "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" "id:1034,phase:1,pass,t:none,nolog,chain" SecRule &REQUEST_COOKIES:wordpress_sec "@eq 1" "t:none, ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:wordpress_sec" #Whitelist nav-menu.php from attack-protocol SecRule REQUEST_URI "@pm wp-admin/includes/nav-menu.php" "id:1035,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-protocol" #Whitelist Wordpress wp-admin/themes.php referer SecRule REQUEST_HEADERS:Referer "@pm wp-admin/themes.php" "id:1036, phase:2,pass,ctl:ruleRemoveByTag=attack-rce" #Jetpack-boost whitelist rule. Prevents anomaly-score breaking Jetpack. SecRule REQUEST_URI "@pm /wp-json/jetpack-boost/v1/critical-css/?:(core_front_page|singular_page)/success" "id:1037,phase:1,pass,nolog,ctl:ruleEngine=off" #Wpmudev backup whitelist rule. SecRule REQUEST_URI "@pm /wp-load.php?wpmudev-hub" "id:1038,phase:1,pass,nolog,ctl:ruleRemoveById=921130" #AmazonProductImporter plug-in whitelist SecRule REQUEST_URI "@pm /amazonproductimporter" "id:1039,phase:1,pass,nolog,ctl:ruleEngine=Off" #WhiteList Stripe User-Agent SecRule REQUEST_HEADERS:User-Agent "@pm Stripe/1.0 (+https://stripe.com/docs/webhooks)" "id:1040,pass,nolog,ctl:ruleEngine=Off" #Whitelist Site Editor on TwentyTwentyThree SecRule ARGS:postId "@pm twentytwentythree" "id:1041,phase:1,pass,nolog,ctl:ruleRemoveById=942100,chain" SecRule REQUEST_URI "@pm /wp-admin/site-editor.php" #Whitelist mothership directory per customer request SecRule REQUEST_URI "@pm /mothership" "id:1042,phase:1,pass,nolog,ctl:ruleEngine=Off" #stop viewing WordPress Site Editor as SQL Injection or generic attack SecRule REQUEST_URI "@rx ^/wp-admin/site-editor\.php" "id:1043,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-generic" #test rules SecRule REQUEST_FILENAME "@endsWith /wp-json/wp/v2/global-styles" "id:1044,phase:2,pass,nolog,ctl:ruleRemoveById=942100" SecRule &ARGS_NAMES:jetpack_publicize_connections.jetpack_publicize_connections.profile_picture "@gt 0" "id:1045,phase:1,pass,t:none,nolog,chain" SecRule ARGS_NAMES:jetpack_publicize_connections.jetpack_publicize_connections.profile_picture "@contains .profile" "ctl:ruleRemoveById=930120" SecRule ARGS "@rx f\(n\)" "id:1046,phase:2,nolog,pass,ctl:ruleRemoveById=942100" SecRule REQUEST_COOKIES "@rx mcfw-wp-user-cookie" "id:1047,phase:2,nolog,pass,ctl:ruleRemoveById=942100" #whitelist astra theme issues SecRule REQUEST_URI "@contains /wp-json/wp/v2/pages/" "id:1048,phase:2,pass,nolog,ctl:ruleRemoveByTag=attack-sqli,ctl:ruleRemoveByTag=attack-generic;ARGS:meta.ast-content-background-meta.mobile.background-color" # prevent 942100 catch on posting SecRule REQUEST_HEADERS:Referer "@contains wp-admin/post-new.php" "id:1049,phase:1,pass,nolog,ctl:ruleRemoveById=942100" SecRule REQUEST_URI "@contains /wp-json/wp/v2/posts/" "id:1050,phase:2,pass,nolog,ctl:ruleRemoveById=942100" #whitelists AI content generation in astra themes SecRule REQUEST_URI "@contains /wp-json/zipwp/v1/" "id:1051,phase:1,pass,nolog,ctl:ruleRemoveById=949110" #Moar AI whitelisting SecRule REQUEST_URI "@contains /wp-json/wp/v2/templates/" "id:1052,phase:1,pass,nolog,ctl:ruleRemoveById=1990092" # Disable rule 949110 for requests under /wp-json/ SecRule REQUEST_URI "^/wp-json/" "id:1053,phase:1,nolog,allow,ctl:ruleRemoveById=949110" #Disable rule 949110 for requests under async-upload.php SecRule REQUEST_URI "^/wp-admin/async-upload.php" "id:1054,phase:1,nolog,allow,ctl:ruleRemoveById=949110" #clears issues with stripe SecRule REQUEST_URI "@contains /wp-admin/" "id:1055,phase:1,nolog,allow,ctl:ruleRemoveById=1990091" #Disable rule 942100 for requests under async-upload.php SecRule REQUEST_URI "^/wp-admin/async-upload.php" "id:1056,phase:1,nolog,allow,ctl:ruleRemoveById=942100"