Fix ModSecurity rule syntax and clean up WordPress configuration

[YouKyi]

Fix ModSecurity rule syntax in configs/modsec/wordpress_false_positives.conf: replace incorrect ruleRemoveTargetById directives with ruleRemoveById and remove unused rule 949110 from XML-RPC false-positive configuration.

Testing

• jq . templates/<template-name>/template.json
• Validated template or docs using the listed commands
• Other (add details below)

Validation details

Checklist

• I installed the pre-commit hooks and ran pre-commit run --all-files.
• I described the service or scenario this change targets.
• template.json references only files shipped in the same template directory.
• Template docs note how to import it (plugin bundle and/or web UI upload).
• I updated configs, screenshots, or notes impacted by this change.
• I linked related issues or discussions and added context for reviewers.

[coderabbitai]

Templates: WordPress

configs/modsec/wordpress_false_positives.conf

ModSecurity rule removal configuration updated:

• Lines 16–23: Admin-AJAX endpoint exclusions reformatted to multi-line quoted strings. Directives corrected to use ctl:ruleRemoveById= (rules 941130, 942200, 942440, 942450) with phase 2, pass, nolog flow preserved.
• Lines 26–28: XML-RPC endpoint rule simplified—now removes only rule 949120 via ctl:ruleRemoveById=; rule 949110 exclusion deleted.
• Security & CRS impact: Stricter CRS enforcement on XML-RPC. Rule 949120 (Apache HTTP Server mod_security ModSecurity: Blocking SQL injection attempt) exception retained; 949110 (ModSecurity Core Rule Set: SQL Injection Attack) exception removed, tightening SQL injection detection on legacy XML-RPC endpoints.

CHANGELOG.md

## Unreleased section updated with entry documenting the ModSecurity directive correction and rule 949110 removal from the WordPress template.

template.json

Valid schema; configs array (line 38) correctly references modsec/wordpress_false_positives.conf within the template directory. File exists in repository.

Walkthrough

ModSecurity WordPress false-positive tuning configuration updated with reformatted SecRule directives and directive consolidation. Changelog documentation added to reflect the configuration modifications to rule removal directives and XML-RPC rule handling.

Changes

Cohort / File(s)	Summary
Changelog Documentation CHANGELOG.md	Added entry documenting ModSecurity configuration updates for WordPress false-positive tuning.
ModSecurity Configuration templates/wordpress/configs/modsec/wordpress_false_positives.conf	Reformatted SecRule action strings into multi-line quoted format; replaced ctl:ruleRemoveTargetById= with ctl:ruleRemoveById= directive; modified /xmlrpc.php rule to remove only rule ID 949120 (previously also removed 949110). Phase and pass-through behaviour unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

ModSecurity's clauses refined with care,
Rule directives consolidated, precise and fair,
XML-RPC false positives pruned just right,
WordPress protected in digital light,
Configuration tightened—a tuning delight.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title uses imperative mood, is concise at 64 characters, and accurately describes the main changes to ModSecurity directives and WordPress configuration.
Description check	✅ Passed	Description clearly outlines the specific technical changes made to the ModSecurity configuration file, matching the changeset modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[YouKyi]

#23

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@templates/wordpress/configs/modsec/wordpress_false_positives.conf`:
- Around line 16-28: For each SecRule block (the SecRule lines with ids 9005001,
9005002 and 9005003) add a per-rule rationale comment immediately above the
SecRule that documents: the exact endpoint (e.g., /wp-admin/admin-ajax.php or
/xmlrpc.php), the payload area being exempted (e.g., POST body, query args,
specific parameter like action or pingback), the specific CRS rule IDs being
removed (941130, 942200, 942440, 942450, 949120) and a concise reason why that
CRS rule is safe to relax for this endpoint (e.g., known legitimate AJAX actions
or explicit XML-RPC pingback support), so each exclusion is auditable and
follows the templates/**/configs/**.conf guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5cce9e82-00e7-4639-8bb1-b23240572432

📥 Commits

Reviewing files that changed from the base of the PR and between a793d3d and 0d42493.

📒 Files selected for processing (2)

• CHANGELOG.md
• templates/wordpress/configs/modsec/wordpress_false_positives.conf

📜 Review details

⏰ Context from checks skipped due to timeout of 120000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Agent

🧰 Additional context used

📓 Path-based instructions (9)

CHANGELOG.md

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Update CHANGELOG.md under ## Unreleased for every change using the bullet format - [@github-handle] Summary of the change

Record all changes in CHANGELOG.md under the ## Unreleased section using the bullet format - [@github-handle] Summary of the change

All changes must be documented in CHANGELOG.md under the ## Unreleased section as - [@github-handle] Summary

Files:

• CHANGELOG.md

---

⚙️ CodeRabbit configuration file

CHANGELOG.md: CHANGELOG.md drives the pre-release notes generated by .github/workflows/dev-template-prerelease.yml, which reads the ## Unreleased section verbatim. Enforce:

• Every user-visible PR adds a bullet under ## Unreleased in the exact format - [@github-handle] Short description of the change, matching CONTRIBUTING.md and TEMPLATE_GUIDE.md.
• Do not reorder, rename, or remove existing release headings without a matching release workflow change.
• Do not move already-released entries back into ## Unreleased.
• Flag PRs that touch templates/, .github/workflows/, or user-facing docs but skip the changelog entry.

Files:

• CHANGELOG.md

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Markdown content should wrap commands in backticks and keep lines under roughly 100 characters

Files:

• CHANGELOG.md

---

⚙️ CodeRabbit configuration file

**/*.md: Documentation should be concise, accurate, and written in British English:

• Keep a sensible heading hierarchy and prefer concrete instructions over narrative.
• Commands go in backticks or fenced code blocks; keep lines under roughly 100 characters.
• Check that referenced paths, settings, workflows, and external links still match the current repository.
• When a PR changes behaviour, defaults, or packaging, require the matching doc update in the same PR.

Files:

• CHANGELOG.md

templates/*/configs/**/*

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

All paths in configs are relative to the template root; ensure referenced files exist and ship with the PR

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

templates/*/configs/**/*.conf

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

templates/*/configs/**/*.conf: NGINX snippets in configs/ should include concise comments when relaxing security defaults
Lint NGINX snippets where possible (e.g. nginx -t) and document any assumptions

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

templates/*/**

📄 CodeRabbit inference engine (AGENTS.md)

Templates must live under templates/<template-name>/ with a template.json and referenced assets inside configs/ or sibling files such as README.md

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

templates/*/configs/**

📄 CodeRabbit inference engine (AGENTS.md)

Name config snippets to reflect their intent (e.g., modsec/wordpress_false_positives.conf) so reviewers understand coverage at a glance

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

**/configs/modsec/*_false_positives.conf

📄 CodeRabbit inference engine (CLAUDE.md)

ModSecurity exclusion rule files must be named using the pattern <service>_false_positives.conf

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

**/configs/**/*.conf

📄 CodeRabbit inference engine (CLAUDE.md)

NGINX snippets should include comments when relaxing security defaults

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

templates/**/configs/**/*.conf

⚙️ CodeRabbit configuration file

templates/**/configs/**/*.conf: These are NGINX and ModSecurity snippets loaded by BunkerWeb at runtime. They must be safe and minimal:

• ModSecurity / CRS tuning files (*_false_positives.conf): prefer targeted ctl:ruleRemoveTargetById= / ctl:ruleRemoveById= over SecRuleRemoveById with broad ranges. Every exclusion must have a short comment explaining the specific legitimate traffic it unblocks (endpoint, parameter, rule ID, reason). Do not disable whole paranoia levels or broad rule families.
• Rule IDs authored here must live in the user range (>= 9,000,000 for SecAction markers used by CRS plugins, or the custom range documented by the upstream CRS plugin being enabled).
• Do not set SecRuleEngine Off or SecRequestBodyAccess Off in a template config.
• NGINX fragments: avoid if inside location where a prefix match would do; never proxy_pass to an upstream constructed from a request variable (SSRF); do not strip security headers added by BunkerWeb core; do not lower TLS/SSL protocol or cipher strength.
• Every file referenced here must also be listed in the owning template.json configs array, and vice versa. Flag orphans in either direction.
• Add a short top-of-file comment describing the template the snippet belongs to and the upstream service version it was validated against.

Files:

• templates/wordpress/configs/modsec/wordpress_false_positives.conf

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-23T15:34:59.501Z
Learning: Applies to templates/*/configs/** : Name config snippets to reflect their intent (e.g., `modsec/wordpress_false_positives.conf`) so reviewers understand coverage at a glance

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-23T15:34:59.501Z
Learning: Before opening a PR, ensure the pre-commit suite passes, `template.json` references only in-repo files, and documentation explains how to import or deploy the template

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-24T15:08:18.917Z
Learning: Applies to **/configs/modsec/*_false_positives.conf : ModSecurity exclusion rule files must be named using the pattern `<service>_false_positives.conf`

📚 Learning: 2026-04-23T15:34:38.429Z

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-04-23T15:34:38.429Z
Learning: Applies to CHANGELOG.md : Update CHANGELOG.md under ## Unreleased for every change using the bullet format - [github-handle] Summary of the change

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-24T15:08:18.917Z

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-24T15:08:18.917Z
Learning: Applies to CHANGELOG.md : All changes must be documented in CHANGELOG.md under the `## Unreleased` section as `- [github-handle] Summary`

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-23T15:34:59.501Z

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-23T15:34:59.501Z
Learning: Applies to CHANGELOG.md : Record all changes in `CHANGELOG.md` under the `## Unreleased` section using the bullet format `- [github-handle] Summary of the change`

Applied to files:

• CHANGELOG.md

📚 Learning: 2026-04-23T15:34:59.501Z

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-04-23T15:34:59.501Z
Learning: Applies to templates/*/configs/** : Name config snippets to reflect their intent (e.g., `modsec/wordpress_false_positives.conf`) so reviewers understand coverage at a glance

Applied to files:

• CHANGELOG.md
• templates/wordpress/configs/modsec/wordpress_false_positives.conf

📚 Learning: 2026-04-24T15:08:18.917Z

Learnt from: CR
Repo: bunkerity/bunkerweb-templates PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-24T15:08:18.917Z
Learning: Applies to **/configs/modsec/*_false_positives.conf : ModSecurity exclusion rule files must be named using the pattern `<service>_false_positives.conf`

Applied to files:

• CHANGELOG.md
• templates/wordpress/configs/modsec/wordpress_false_positives.conf

🪛 LanguageTool

CHANGELOG.md

[uncategorized] ~8-~8: The official name of this content management system is spelled with a capital “P”.
Context: ...@YouKyi] Fix ModSecurity rule syntax in configs/modsec/wordpress_false_positives.conf: replace incorrec...

(WORDPRESS)

🔇 Additional comments (1)

CHANGELOG.md (1)

8-8: Changelog entry is correctly formatted and complete.

This bullet matches the required ## Unreleased format and clearly documents both the directive fix and the XML-RPC rule removal.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Add per-rule rationale comments for each CRS exclusion.

These lines relax security checks, but the comments are too broad. Please document each removed rule ID with the exact endpoint, payload area (e.g., request body/args), and reason, so the relaxation is auditable.

Proposed patch

 # Allow WordPress heartbeat and admin-ajax endpoints used by the dashboard
+# /wp-admin/admin-ajax.php: exclude known false positives on legitimate dashboard/AJAX payloads.
+# - Rule 941130: triggered by valid admin-ajax request body content.
 SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" \
     "id:9005001,phase:2,pass,nolog,\
      ctl:ruleRemoveById=941130,\
+# - Rule 942200: triggered by valid admin-ajax arguments/body patterns.
      ctl:ruleRemoveById=942200"
+# /wp-admin/admin-ajax.php: additional SQLi false positives on legitimate plugin/core payloads.
+# - Rule 942440: triggered by valid admin-ajax arguments/body patterns.
 SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" \
     "id:9005002,phase:2,pass,nolog,\
      ctl:ruleRemoveById=942440,\
+# - Rule 942450: triggered by valid admin-ajax arguments/body patterns.
      ctl:ruleRemoveById=942450"
 
 # Permit XML-RPC pingbacks if explicitly enabled downstream
+# /xmlrpc.php: Rule 949120 excluded for legitimate XML-RPC pingback request bodies.
 SecRule REQUEST_URI "@beginsWith /xmlrpc.php" \
     "id:9005003,phase:2,pass,nolog,\
      ctl:ruleRemoveById=949120"

As per coding guidelines: templates/**/configs/**/*.conf requires every exclusion to state endpoint, parameter, rule ID, and reason, and **/configs/**/*.conf requires comments when relaxing security defaults.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@templates/wordpress/configs/modsec/wordpress_false_positives.conf` around
lines 16 - 28, For each SecRule block (the SecRule lines with ids 9005001,
9005002 and 9005003) add a per-rule rationale comment immediately above the
SecRule that documents: the exact endpoint (e.g., /wp-admin/admin-ajax.php or
/xmlrpc.php), the payload area being exempted (e.g., POST body, query args,
specific parameter like action or pingback), the specific CRS rule IDs being
removed (941130, 942200, 942440, 942450, 949120) and a concise reason why that
CRS rule is safe to relax for this endpoint (e.g., known legitimate AJAX actions
or explicit XML-RPC pingback support), so each exclusion is auditable and
follows the templates/**/configs/**.conf guideline.

[Copilot]

Pull request overview

This PR updates the WordPress ModSecurity CRS exclusion snippet to use valid ModSecurity ctl syntax and removes an unnecessary XML-RPC exclusion, with a corresponding changelog entry.

Changes:

• Replace invalid ctl:ruleRemoveTargetById=... usage with ctl:ruleRemoveById=... for the WordPress admin-ajax.php exclusions.
• Remove the 949110 exclusion from the XML-RPC (/xmlrpc.php) tuning.
• Add an ## Unreleased entry documenting the change.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
templates/wordpress/configs/modsec/wordpress_false_positives.conf	Fixes ModSecurity ctl directives for WordPress endpoints and removes the unused XML-RPC rule exclusion.
CHANGELOG.md	Documents the WordPress ModSecurity exclusion syntax fix and XML-RPC rule removal under ## Unreleased.