Problems with OWASP modsec rules and WP cron

Replies: 0

Almost every time someone visits my WP sites it triggers a OWASP rule. I use WHM/cPanel and OWASP3. I am using wordpress 5.0.2 currently but this happened on 4.x as well.

Source: (public IP of my server)
Status: 200
Rule ID: 920180: POST request missing Content-Length Header.
Request: POST /wp-cron.php?doing_wp_cron=1546253580.8522100448608398437500
Action Description: Warning.
Justification: Operator EQ matched 0 at REQUEST_HEADERS.

This doesn’t really block any functionality for the user but it is filling up my modsec logs constantly. I tried disabling the wp-cron.php by setting define(‘DISABLE_WP_CRON’, ‘true’) in wp-config.php, but this did not help. The rule keeps getting triggered.

Another thing I noticed is that my wordpress bruteforce custom modsec rules no longer work, even though they did at one point.
Here are the custom ModSec rules that should be blocking bruteforce attacks:

SecStatusEngine on
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134

#SecAction phase:1,nolog,pass,initcol:ip=%{REQUEST_HEADERS.x-forwarded-for},id:5000134

<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 10 minutes, more than 10 login attempts in 5 minutes.'"

SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"

SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/300,id:5000137"

SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=600,setvar:ip.bf_counter=0"

</locationmatch>
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234

<Locationmatch "/xmlrpc.php">
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 10 minutes, more than 5 login attempts in 5 minutes.'"

SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/300,id:5000237"

SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=600,setvar:ip.bf_counter=0"

</Locationmatch>

# Default HTTP policy: allowed_request_content_type (rule 900220)
SecRule &TX:allowed_request_content_type "@eq 0" "id:1901162, phase:1, pass, nolog, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain|text/x-gwt-rpc'"