A client recently had their site hacked (on a cPanel shared server). In investigating the hack we found that the .htaccess file had been modified. The WordPress rules had been replaced with:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
SecFilterCheckURLEncoding Off
SecFilterCheckCookieFormat Off
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies Off
</IfModule>
So we assume that the hacker was able to bypass the Comodo WAF protection for this site.
Is there any way to configure the WAF not to honor any directive like this? Or is such protection (hopefully) already included?
1. These .htaccess directives can’t disable CWAF protection
This work only only with old ModSecurity versions (1.x) which is not installed on your server (CWAF works with ModSecurity >= 2.7.5).
Also, since version 2.7.3 ModSecurity ignores .htaccess directives by default (if you didn’t use special compilation key --enable-htaccess-config ).
2. Very likely user added those .htaccess directives by himself
Possibly he had some problems with WordPress functionality because of some CWAF rules (FP?) and found this deprecated solution.
3. Very likely hacker obtained some user credentials (cPanel, FTP etc.)
You may submit CWAF support ticket Submit a ticket - Powered by Kayako Help Desk Software and I’ll connect guys from WebInspector and CWAF security department to investigation of this hack (need logs and possible access to your system).