Best Package: OWASP ModSecurity Core Rule Set for a standard wordpress blog

Hello Community.

I have been reading through all the Package: OWASP ModSecurity Core Rule Set information on the help pages blogs. As I and everyone else would always want the highest level of security possible I understand this can sometimes have a negative effect.

I was hoping someone could advise me if the highest setting “HIGH” =25 + and for ajax High 65+ would be appropriate for a stock standard Wordpress Blog , No apps, no users logins or services attachded to it.

Also, does the IP access rule override this? or does OWASP override the IP access rules


Thanks for asking.

To be honest, the WP core is secure. True, when there are bugs or some vulnerabilities, they got security fixes, etc. because the WP community is large nowadays. However, unfortunately for the plugins & themes we cannot say that and this might not be the case for all.

If you’ve got paid plan like Pro, which offers Managed WAF Rules, make sure to enable those for WordPress for sure.

Regarding OWASP, I keep it at “Medium 40 and higher” with Paranoia PL1 and action “block”. From my experience, if I put it to “High 25 and higher” or change Paranoia to PL2,3 or 4, I experience issues with plugins mostly and day-to-day issues which occured for the daily users using the WP admin dashboard.

I am afraid there is no single answer, or as we say “silver bullet” solution which would apply and work for everyone. I’d say it’s the Website’s owner job and responsibillity to make it’s website stable, reliable, secured and working as expected both for users and visitors.

Despite that, I also combine other security options like Browser Integrity Check, Security Level Medium, etc.

Good thing is to figure out and combine Firewall Rules too among that.

Below I share my post regarding security & protection measurements for WordPress while using Cloudflare, mostly which can be achieved via Firewall Rules, which you are free to take a look and decide, research and experiment a bit with your WP Website if any of them suits your need and helps at least a bit:

Just in case, related to the WordPress, I’d suggest you to whitelist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin.

Regarding vulnerabilities, here:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.