Enfold + Mod security causing 403 error from /wp-admin/admin-ajax.php

Hello, this is not a support request but a issue/’bug’ report.

I have discovered a very specific use case which causes the page builder to break. On a cPanel server using Mod Security with the COMODO WAF ruleset, if you include the word ‘Get’, ‘Post’ or ‘Head’ (I haven’t tried other known http request words) at the beginning of a page builder element the builder will break and fail to load. When this happens, WordPress returns a 403 error from /wp-admin/admin-ajax.php. After some investigation it transpires that Enfold is triggering rule 217280 in the COMODO WAF ruleset (HTTP Request Smuggling Attack). My server runs LiteSpeed.

You can replicate this on a server using the Comodo ruleset with a fresh WP install (5.5.1) and the latest default Enfold theme (4.7.6.3):

Add page
Choose ‘Advanced Layout Builder’
Add a ‘Text Block’ content element.
Leave default text
Save page
>> The page will reload correctly displaying the content
Click the ‘Text Block’ you added above
Edit the content and add the word ‘Get’ at the beginning of the text
Save the text
Update the page
>> The page builder will fail to load and WP will return a 403 error

The Mod Security rule is only triggered when using Enfold, not any of the standard WP themes.

You can workaround the issue by disabling rule 217280 in your .htaccess file:

<IfModule mod_security2.c>
SecRuleRemoveByID 217280
</IfModule>

I have read of plugins that had the same issue and fixed it and it would be better not to have to disable the rule just because of Enfold.

Maybe you can consider this as a bug report or at least it might help someone in the future who is experiencing 403 error from /wp-admin/admin-ajax.php when running Mod Security and the Comodo ruleset.

Thanks