Mod_Security Tweaking
We noticed an increase in overall system load after implementing the enhanced blacklist. We have since isolated mod_security actions for that blacklist to dynamic content only, be that .cgi, .php, or .shtml.
If you have used mod_rewrite to force files without the .php extension to process as PHP you will also need to make sure an AddHandler for “application/x-httpd-php” is also included in your rewrite rules, otherwise mod_security will not filter for you. There are few instances where this will occur. This does not relate to “clean URLs” in content management systems, for example, even with “clean URLs” enabled within WordPress, comments are sent to wp-comments-post.php; our global handler will already interpret this as dynamic for the purposes of mod_security.
As mentioned previously, there is a way to opt out of the mod_security filtering. We have automatically turned it off for b2 and Wordpress entry posting, for the time being Movable Type users can turn it off manually using the .htaccess method if the rules prevent entry posting for them.
