If you ever experienced this problem that your WordPress site redirects you to https://yoursite.com/wp-admin/post.php it may be caused by false settings in your mod_security the module on your server.

After several tests, we came to the conclusion that in most cases the line

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

causes this problem but also any other <meta> tag. This tag is required for HTML emails so removing this tag may fix the problem but causes your email to render wrong in certain email clients.

Fixing this issue

There are several ways you can fix this. You should get in touch with your host if you are not familiar with server settings. Refer them to this page if needed.

Disable the module

Add the following rules to your .htaccess file in the root of your WordPress site:

<IfModule mod_security.c>
   SecFilterEngine Off
   SecFilterPost Off
</IfModule>

<IfModule mod_env.c>
   SetEnv MODSEC_ENABLE Off
   PassEnv MODSEC_ENABLE
</IfModule>

If this doesn’t work try

<IfModule mod_sec2.c>
   SecFilterEngine Off
   SecFilterPost Off
</IfModule>

Bypass mod_security Rules

If you are using “mod_security 2” you may no longer overwrite rules in .htaccess so you have to bypass them via the config file.

Find the ‘/usr/local/apache/conf/modsec2/exclude.conf and add the following lines to the very beginning of the file.

<locationmatch "/wp-admin/post.php">
   SecRuleRemoveById 300013
   SecRuleRemoveById 300015
   SecRuleRemoveById 300016
   SecRuleRemoveById 300017
</locationmatch>

WordPress uses /wp-admin/post.php to save and update campaigns and with this rule, the module will bypass rules 300013, 300015, 300016, and 300017.

Don’t forget to restart the Apache server after the changes so they take effect.

Tagged: