While trying to find the reason why one of my major WordPress plugin header and footer post-injection was giving me a headache, I came across ModSecurity which was the devil behind my ordeal for months.
I could have deleted the WordPress plugin and used another one but I couldn’t. The plugin to me had no alternative. And what was the issue? Each time I tried to edit or add a piece of code to my website using the header and footer, an ERR_BLOCKED_BY_XSS_AUDITOR is triggered. PHP and Javascript codes could not be added.
Aside from Google Chrome, I tried Chromium, Internet Explorer, Ucweb, Opera browser, Puffin Web Browser etc these browsers triggered the same error ERR_BLOCKED_BY_XSS_AUDITOR. I went Googling for days, searched through forums but no help.
Editing HTACESS was useless,
Adding below code to Chrome property could not bypass ERR_BLOCKED_BY_XSS_AUDITOR.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -disable-xss-auditor
Adding header PHP code was useless.
header('X-XSS-Protection:0');
Until I came across ModSecurity. I knew ModSecurity could be the reason behind ERR_BLOCKED_BY_XSS_AUDITOR because such an error doesn’t occur while I’m using localhost XAMMP.
ModSecurity is an Apache module that works as a web application firewall. It blocks known exploits and provides protection from a range of attacks against web applications using a set of rules and regular expressions that blocks malicious codes
With ModSecurity, you can selectively narrow down the HTTP features you are willing to accept (e.g., request methods, request headers, content types, etc.). ModSecurity can assist you in enforcing many similar restrictions, either directly, or through collaboration with other Apache modules. They all fall under web application hardening.
After much study, I realized that a ModSecurity rule, when triggered may have caused the issue on my website. ModSecurity is known to have conflicts with some scripts and plugins which may result in false-positive blocks.
These are the two ways to disable ERR_BLOCKED_BY_XSS_AUDITOR on WordPress
Firstly,
- Visit your cPanel. After logging in to cPanel, go to the security section and click on the Mod Security Manager Icon.
- Find the domain that you want Mod_Security to be disabled or Whitelist
- After clicking the Mod Security Manager Icon, you will be directed to a screen where you will see all the domains that you are managing in your cPanel. Scroll through the domains listed and find the one that you want the Mod_Security application to be turned off.
- Uncheck the Box beside the domain name that you want Mod_Security to be disabled or Whitelist.
- A box that has a checkmark means that Mod_Security for that domain is enabled and the one without a check mark means that it is disabled.
Some cPanel version has an ON and OFF button instead of a checkbox. To disable Mod_Security on these cPanel versions, simply click on the OFF button located beside the domain name that you want Mod_Security disabled
- Click the Update Button
- After making sure that the box located next to the domain name that you want Mod_Security to be disabled is unchecked, you can now click on the update button to save the settings.
Another way to disable ERR_BLOCKED_BY_XSS_AUDITOR on WordPress
If your Cpanel does not make provision for ModSecurity, contact your hosting provider and specifically tell them to disable or Whitelist ModSecurity module for the domain having issues. That’s all. I mean, ERR_BLOCKED_BY_XSS_AUDITOR will no longer be a problem…
ERR_BLOCKED_BY_XSS_AUDITOR is your web host method of protecting you from malicious attacks. It is no browser’s fault.
I know some of you may want to republish solution and it’s okay if you do so but please link back to the original article.