403 Error in Word press when saving pages or posts.

apache-logoWe recently ran into an issue being rolled on out on a handful of various web hosting companies using the Apache/Cpanel and whm server configuration. This recent server patch which started with one host and we observed as other host providers implemented it later and observed the same error happen these other hosting companies. The issue exists with Apache Mod Security (mod_sec) firewall flags.

THE PROBLEM

wordpress-logoThe error in word press you will see will be a 403 error on saving a page or post.

Another symptom you can’t edit a page or post as a 403 error also gets generated.

This recent patch, has a mod_security setting that has an issue with flagging functionality in wordpress forcing a mod_security flag causing the error.

 

THE FIX

Please note that not every item below is part of the fix, in most cases one of these 4 options will correct the problem. If the problems persist look into tracking the IP addresses via .conf rules to adjust for true attacks vs false positives.

1. In the .htaccess file for wordpress add in a mod_security parameter to disable (mod_security might be compiled to prevent this switch from working or by limiting the .htaccess authorization via AllowOverride settings.

SIMPLE HTACCESS CODE:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>
# END WordPress

2. In Cpanel you can go to the mod security tab – disable mod security (not all web hosts allow mod security changing through cpanel – some providers restrict it).

3. If you are on a shared/co-host environment you may to contact your hosting support –  tell them you are having a mod security issue related to 403 error and they should be able reset the mod security so your install works correctly.

4 . If you are on a VPS or DEDICATED SERVER you should have access to root folders in cpanel you can edit your conf and mod security rules at  /usr/local/apache/conf/ and edit httpd.conf

Find the configuration item and remove the # symbol.

#LoadModule rewrite_module modules/mod_rewrite.so

NOTE: The other cause of this problem can sometimes be file permissions, permalinks or corrupted .htaccess files, all of which are relatively easy to correct.

 

What to look for when picking a web host

Hosting has evolved quite a bit in the past 10 years, types of hosting and the technology has changed but, a few constants will remain the same when picking a web host.

In my experience these are the top things to consider before dedicating yourself to a host.  My answer to everyone is plan ahead, and plan for the worst case scenario and a contingency plan.

 

1. CUSTOMER SUPPORT

Many hosts are not integrated companies, meaning their hardware, support and even billing can be in different geographic locations.

Which causes a slow down in communication between departments, and most issues are addressed through a ticket system.  This is typically a standardized process within most hosts, however having a host you can talk to on the phone is more beneficial long term.  Use your intuition when it comes to customer service…if your host can’t or won’t help you with a small problem, just imagine when you have a big one!

 

2. SERVER HOSTING TYPE

SHARED/COHOST – This type of hosting is entry level both in functionality, customization and price. Basically your site is a folder on the server with thousands of other websites.  Which means you get a standard package, however customization to what you can do is limited.  On shared/cohosted servers the needs of the many out weigh the needs of the few…. If one site is generating too much bandwidth or using too much memory, there are automated process that will automatically shutdown your site. (this is where the customer support is important).

If your website requires functionality (php ini, libraries, codecs etc) outside the hosting packages offered with a shared host it can be a project killer, if they DO NOT have scalability with hardware to a vps or dedicated server a resolution.

BAD EXAMPLE SCENARIO – A client was using Blue Host, we had a viral campaign and after generating 80,000+ requests per hour they shut down the account.  They did not offer vps or dedicated servers so an upgrade in hardware was not possbile. Effectively killing free traffic and marketing opportunities to the website.

BAD EXAMPLE SCENARIO –  A client was using Host Papa, and they had a php injection virus from an old WordPress install, the shared host locked down the account/ftp/cpanel/http/pop  but also sends an email with infected file list and says “please remove these files to reactivate the account”.  How do you remove infected files if you are locked out of your account?..Answer you can’t…. the host had no method in place to address this issue.

 

VIRTUAL PRIVATE SERVER /CLOUD VPS – VPS or virtual private servers are similar to shared host except most vps servers only run a handful of sites, which can allow more base level server customization for your apps/websites etc.  Be very selective with what hardware you add when picking a vps package. Some VPS can actually perform worse than a shared host due to low cpus or memory. If you can afford to get ALOT of CPUs and MEMORY and hard drives, this is most important when making your initial purchase.

A mistake after the purcahse can cause you to have to build a whole new server with proper hardware, which relates to a ton of downtime that could kill a project budget and schedule. Those who have never used anything beyond a shared host will get a crash course into the joys hardware monitoring and site memory consumption and all the other processes that has to run. There is more to your file structure than just a root folder =).

 

DEDICATED SERVER – Ideally this is what you should have if you have big plans, generating alot of bandwidth, system intensive process and of course…if you can afford it, and with dedicated servers like a VPS …ALWAYS GET THE MOST RAM/CPUS and hard drives with your initial order.  A dedicated server means you have your very own computer for your website, you are the king of the ship….but also you easily run aground.

A dedicated server has more hardware/software maintenance that has to be addressed and can sometimes require constant monitoring.   Some dedicated server hosts provide support for server maintenance for an extra fee and this is what you want to be looking for….once again back to communication with the host.

 

3. BANDWIDTH SCALABILITY

Does your host have big enough pipes for your business? Besides the hardware aspect of your web host, the other important thing to look into is bandwidth.  Does the web host have ability to scale your speed if you start generating more traffic?  Does the server data center allow real time monitoring and scalability of  bandwidth if need be?

 

4.  WEB HOST COMPANY STABILITY

In recent years a new issue in stability has arisen with some web hosts, and that is the companies themselves sometimes go through business model changes, legal issues, politics, disagreements with hardware vendors, support teams etc.  Web hosting companies are bought and sold like hot cakes due to chatoic investment and economic situations.   This trickles down to your level of service, the type of hardware and even support you receive. Many times this will happen without any notice to end user.   A management issue at a webhost can lead to segmentation in the support departments, not responding to calls, emails, tickets etc. Find out how long your host has been around is something good to check, shows long term viability.