So, on my server with the latest stable ISPConfig and also having installed mod_security... I'm trying to avoid some rules for wordpress specific pages, but with no success. Rules: Code: <LocationMatch "/"> SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled SecRuleRemoveById 960015 # Request Missing an Accept Header - Allow for Google Reader </LocationMatch> <LocationMatch "/wp-admin/post.php"> SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments. </LocationMatch> <LocationMatch "(/wp-admin/|/wp-login.php)"> SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts. SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args SecRuleRemoveById 960010 # Request content type is not allowed by policy </LocationMatch> <LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)"> SecRuleRemoveById 950907 # System Command Injection SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts. SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments. SecRuleRemoveById 959006 # SQL Injection Attack - SecRuleRemoveById 960008 # Request Missing a Host Header SecRuleRemoveById 960011 # GET or HEAD requests with bodies SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods SecRuleRemoveById phpids-20 # Detects JavaScript language constructs SecRuleRemoveById phpids-21 # Detects very basic XSS probings SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2 SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts </LocationMatch> <LocationMatch "/wp-includes/"> SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments. SecRuleRemoveById 959006 # SQL Injection Attack - SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods SecRuleRemoveById phpids-20 # Detects JavaScript language constructs SecRuleRemoveById phpids-21 # Detects very basic XSS probings SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2 SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts </LocationMatch> Any ideas why the LocationMatch won't match? Just to make clear, setting the command outside LocationMatch works My question on SO http://stackoverflow.com/questions/14202050/locationmatch-not-matching
Have you checked in the vhost file if the directives have been added there? Maybe there is a syntax error somewhere and ispconfig could not apply the new configuration. I added some mod_security rules a few days ago in one site by adding them in the apache directives field in ispconfig and it worked on my server. I described it here in the faq, the rules I used are not as complete as your list though: http://www.faqforge.com/linux/apache-mod_security-settings-for-wordpress-and-modx/
