MAD_SECURITY - “precondition failed” error on Wordpress post action
May 26, 2008 — Until I “fixed” this problem, on this Wordpress 2.5.1 blog hosted on textdrive, If I typed “FTP” and “server” in the main text field of the “New Post” page, and then published or saved my post, I got “Precondition Failed”
Try this on your wordpress blog.
Make a new post.
Type anything in the title field.
Type the words
“FTP” and “server” in the main text field you can type any other content too, but put those two words together and you will not be able to save your post. (edit: It appears that the only word that I really had trouble was “FTP ” - with the space after and without the quotes. I have heard of people having problems with words commonly found in porn spam and also some seemingly-innoccuous words such as “picture”)
Try to publish your test post.
Do you get the “Precondition Failed” error?
Precondition Failed The precondition on the request for the URL /blog/wp-admin/post.php evaluated to false.
Update - I think it’s mod_security that causes that message. See
this Wordpress Support Page
Also see this Joyent help page
I tried creating a .htaccess file in my public_html directory using the rules suggested there. According to that, you can disable MOD_SECURITY with the following in your .htaccess file:
SecFilterEngine Off
This made it so that at one point I was able to post the word “FTP” alone in a post, which was impossible before. However, I didn’t want to completely disable MOD_SECURITY if I didn’t have to, so,
I tried this in my .htaccess instead, as Joyent suggested at the url above:
SecFilterEngine On
SecFilterSelective "REQUEST_URI" "/blog/wp-admin/post.php" "allow,nolog"
SecFilterSelective "POST_PAYLOAD" "FTP ,FTP,SSH ,SSH" "allow,nolog"
(Note that the above code consists of three lines, and the lines begin with SecFilt…. I will have to make a few adjustments to the theme CSS to make my blog wider . . .)
And that one worked! I don’t think I need the post.php entry so I may remove that line. Anyway it worked.
I am told that MOD_SECURITY is used for spam filtering, and there are many recommendations to disable mod_security as a workaround for this type of problem. However I don’t know. I am rather experimenting here. I’m glad I didn’t have to completely disable it.
I’m tempted to think that overall rules (on my server) are too strict or need tweaking. Or that I need to make a custom filter of my own. However, one would think that one could blog the word “FTP” server without having to rewrite apache rules. When the 3rd and 5th blog posts I made failed, I started thinking “What’s the use? I got me a blog that I can’t post on!”
So here are some suggestions for some rules to put in your .htaccess file so that MOD_SECURITY will be generally functional, and allow apache to allow posts about FTP SSH, etc…
Status: MOD_SECURITY enabled. Blog works. All good.
To implement this solution on your own blog, edit (or create, if it doesn’t exist) a file called .htaccess in the web root of your blog and add the above code to it. .htaccess files define per-directory rules for the apache web server. The .htaccess file which I added to fix my blog is in the folder which contains my Wordpress folder. I think that if you put the file in your actual blog folder it will work as well.
Tags: .htaccess, mod security, precondition failed, wordpress
[...] Try this on your wordpress blog. Make a new post. Type anything in the title field. Type the words “ftp” and “server” in the main text field you can type any other content too, but put those two words together and you will not be able to save your post. Try to publish your test post. Do you get the “Precondition Failed” error? Update - I think it’s mod_security that causes that message. See here UPDATE: See my newest post on this problem. [...]