A list of tested mod_security rulesets

[NiteWave]

I think there is no difference between 4.2.8 and previous version regarding this rule.
change

<LocationMatch /wp-login.php>

to

<LocationMatch ".*/wp-login.php">

should resolve

If my wordpress site is www.test.com/wp (or any subdirectory) the rule doesn't work

 

[bettinz]

I don't know if it's a problem on my system, but the rule doesn't work on subdirectory with

<LocationMatch ".*/wp-login.php">

 

[NiteWave]

put following in httpd.conf

<LocationMatch ".*/wp-login.php">
Order deny,allow
Deny from all
</LocationMatch>

I ran tests
/abc/wp-login.php
/wp-login.php
/xxx/wp-login.php/yyy
...
all of above have received "403 Forbidden" as expected, under both apache and litespeed.

of course, this only tests LocationMatch. not mod_security rule.
can do disable mod_security rule temporarily, and ran above tests on LocationMatch first?

 

[bettinz]

I can confirm that Location Match works, thank you.
Now I can't understand why the rule doesn't work

 

[mistwang]

<LocatioonMatch> must be in the main configuration file. does not work in .htaccess, same with Apache as designed.

 

[edigest]

I'd also like to know if possible.
or if anyone else could inform me what they are using and that is working would be great.

I use the Atomic ruleset. The following rules are incompatible:

00_asl_rbl.conf
00_asl_z_antievasion.conf
05_asl_scanner.conf
09_asl_rules.conf
11_asl_data_loss.conf
40_asl_apache2-rules.conf
98_asl_jitp.conf
99_asl_a_redactor.conf
99_asl_redactor.conf
99_asl_redactor_post.conf
99_asl_scanner.conf

I believe all of the others are fine, although I only use a subset of the remaining rules.