Title: Modsecurity crs4 rule exclusions for WordPress Rest API?
Last modified: February 20, 2024
---
# Modsecurity crs4 rule exclusions for WordPress Rest API?
* [danrancan](https://wordpress.org/support/users/danrancan/)
* (@danrancan)
* [2 years, 1 month ago](https://wordpress.org/support/topic/modsecurity-crs4-rule-exclusions-for-wordpress-rest-api/)
* I am running an Ubuntu 20.04 LEMP Server with Modsecurity installed. I am using
the brand new CRS4 for my ruleset. When Modsecurity is off in my wordpress health
page, I get no errors. However, after turning on Modsecurity in my WP health
page, I get the following errors on my WP health screen:
* ```wp-block-code
The REST API is one way that WordPress and other applications communicate with the server. For example, the block editor screen relies on the REST API to display and save your posts and pages. When testing the REST API, an unexpected result was returned:
REST API Endpoint: https://www.mcmo.is/wp-json/wp/v2/types/post?context=edit
REST API Response: (403) Forbidden
```
* I’m finding nothing in the modsec logs. How can I go about finding and setting
the proper rule exclusions for CRS4 in Modsecurity? Please help if you are knowledgable
about Modsecurity and rule exclusions.
* The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fmodsecurity-crs4-rule-exclusions-for-wordpress-rest-api%2F%3Foutput_format%3Dmd&locale=en_US)
to see the link]_
Viewing 1 replies (of 1 total)
* [clayp](https://wordpress.org/support/users/clayp/)
* (@clayp)
* [2 years, 1 month ago](https://wordpress.org/support/topic/modsecurity-crs4-rule-exclusions-for-wordpress-rest-api/#post-17438618)
* ```wp-block-code
As you said It showed a 403 forbidden error, because of HTTP status code sent by the server when the client (user) initiating the request doesn’t have permission to access a specific page or resource.
1. Contact your host
It is a server-side error, and a recommended and safer solution for fixing the error is to contact your hosting provider. Reach out to their support team, describe the issue, and they will likely resolve it by disabling specific security rules or whitelisting the requested page.
2. Find whitelist.conf or exclude.conf file and add following code.
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 949110
SecRuleRemoveById 980130
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 949110
SecRuleRemoveById 980130
3. Disable mod_security for specific URL
With this approach, you can deactivate mod_security for particular URLs rather than for your entire site, providing a more secure option. You can define the URLs to match using regex within the statement below.
SecFilterEngine Off SecFilterScanPOST Off
```
Viewing 1 replies (of 1 total)
The topic ‘Modsecurity crs4 rule exclusions for WordPress Rest API?’ is closed to
new replies.
## Tags
* [modsecurity](https://wordpress.org/support/topic-tag/modsecurity/)
* [WordPress](https://wordpress.org/support/topic-tag/wordpress/)
* In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
* 2 replies
* 2 participants
* Last reply from: [clayp](https://wordpress.org/support/users/clayp/)
* Last activity: [2 years, 1 month ago](https://wordpress.org/support/topic/modsecurity-crs4-rule-exclusions-for-wordpress-rest-api/#post-17438618)
* Status: not resolved
## Topics
### Topics with no replies
### Non-support topics
### Resolved topics
### Unresolved topics
### All topics