Fix Mod security plugin for wordpress

Mod security can be a hassle when trying to work with wordpress or bbpress. The main problem is the forms using parameters in their action, which is blocked by mod_security with a nice error page. With some minor javascript and php you can however easily write yourself a widget to workaround and get the wordpress backend to work again.

The php code is quite simple:


Plugin Name: Fix mod_security
Plugin URI:
Description: Plugin to make wordpress backend more stable in mod_security environment
Author: Roonaan
Version: 0.1
Author URI:

The Fix Mod Security plugins looks for html <form> elements which action contains parameters.
The parameters are then moved into an newly added hidden input.
After submission of the form, the serverside code will inject the original parameters back
into the $_GET and $_REQUEST globals where wordpress would have expected them originaly.

# Define a key to use for the hidden input
if(!defined('FIXMODSECURITY_KEY')) {
    define('FIXMODSECURITY_KEY', md5(md5(__FILE__).md5(date('Ymd'))));

# See if the hidden input is available and filled
    parse_str($_POST[FIXMODSECURITY_KEY], $values);
    foreach($values as $key => $value) {
        if(!isset($_GET[$key])) {
            $_GET[$key] = $value;
        if(!isset($_REQUEST[$key])) {
            $_REQUEST[$key] = $value;

# Hook the javascript code into the administration interface
add_action('admin_footer', 'fmc_admin_print_scripts', 1);

 * Generate javascript code that detects forms and make sure they
 * are mod_security proof.

function fmc_admin_print_scripts() {
<script type="text/javascript">
if(typeof jQuery != "undefined") {
    function fmc_update_forms() {
        var frms = document.forms;
        for(var i = 0; i < frms.length; i++) {
    function fmc_update_a_form(frm) {
        if(typeof frm == 'undefined') {
        var act = frm.getAttribute('action');
        var mtd = frm.getAttribute('method');
        if(mtd != 'post' || act.indexOf('?') < 1) {
        var elem = document.createElement('input');
        elem.type = 'hidden';
        elem.value = act.substring(act.indexOf('?')+1); = "<?php echo FIXMODSECURITY_KEY;?>";
        frm.setAttribute('action', act.substring(0, act.indexOf('?')));

        jQuery(frm).css({border:"dashed 1px #009"}).prepend('<div style="background:#009;color:white;font-size:9px;line-height:12px;text-indent:3px;font-family:verdana,sans-serif"><b>Note</b>: This form was altered by the Fix Mod_security plugin.</div>');


In time i will make a proper plugin for it. Or not.

Be Sociable, Share!

Tags: , , , ,

Leave a Comment

This blog is kept spam free by WP-SpamFree.