ModSecurity CRS Deployment with WordPress Security Plugins (Wordfence / WP Cerber)...
6 views
Skip to first unread message
Michael Bullut
Nov 27, 2025, 3:17:01 AM (6 days ago) Nov 27
to modsecurity-core...@owasp.org
Good Morning Team,
I hope this e-mail finds you well.
I am writing to inquire about the experiences of the CRS team regarding a specific deployment scenario involving ModSecurity running the Core Rule Set (CRS) in conjunction with popular WordPress security plugins.
Specifically, I am interested to know if the project team, or any members, have implemented ModSecurity CRS on a WordPress instance that also has one or more comprehensive security plugins enabled, such as Wordfence Security and/or WP Cerber Security.
If this scenario has been tested or implemented, I would be grateful if you could share any insights regarding the experience, particularly concerning:
I am writing to inquire about the experiences of the CRS team regarding a specific deployment scenario involving ModSecurity running the Core Rule Set (CRS) in conjunction with popular WordPress security plugins.
Specifically, I am interested to know if the project team, or any members, have implemented ModSecurity CRS on a WordPress instance that also has one or more comprehensive security plugins enabled, such as Wordfence Security and/or WP Cerber Security.
If this scenario has been tested or implemented, I would be grateful if you could share any insights regarding the experience, particularly concerning:
- Rule Overlap/Conflict: Were there any significant conflicts or overlaps between the CRS rules and the firewall/security features provided by the WordPress plugins?
- False Positives: Did the combined use of the WAF and the security plugins lead to a noticeable increase in legitimate traffic being blocked?
- Performance: What was the observed impact on the overall server performance (CPU/memory usage, latency) compared to running either the CRS or the plugins alone?
- Configuration/Tuning: Were any specific CRS rule exclusions or configurations required to make the setup stable and functional alongside the plugins?
Any information, even anecdotal experience, would be highly valuable as we evaluate the best security posture for our WordPress environments.
Thank you very much for your time and for your continuous work on the Core Rule Set.
Thank you very much for your time and for your continuous work on the Core Rule Set.
Christian Folini
Dec 2, 2025, 7:27:27 AM (22 hours ago) Dec 2
to 'Michael Bullut' via OWASP CRS project
Hey Michael,
You did not get a response for your question. That means that nobody really
has any experience with this on a level that can be shared. And that's
consistent with what I hear from other people. I know nobody doing that.
Yet based on experience we can say a few things:
The WP rule exclusion plugin is actively maintained and people are really
using it. While it does not really cover plugins, chances are the hardening
plugins won't kill CRS completely or we would have heard about it.
Maybe you also want to look into Azurit's CRS WP hardening plugin. See plugin
registry.
And if you make any experience and come up with extended rule exclusions
based on these WP plugins, then please share by all means.
On Thu, Nov 27, 2025 at 11:16:38AM +0300, 'Michael Bullut' via OWASP CRS project wrote:
> I hope this e-mail finds you well.
That sounds a bit too much like ChatGPT and may have kept people from
responding.
Cheers,
Christian
>
> I am writing to inquire about the experiences of the CRS team regarding a
> specific deployment scenario involving ModSecurity running the Core Rule
> Set (CRS) in conjunction with popular WordPress security plugins.
>
> Specifically, I am interested to know if the project team, or any members,
> have implemented ModSecurity CRS on a WordPress instance that also has one
> or more comprehensive security plugins enabled, such as Wordfence Security
> and/or WP Cerber Security.
>
> If this scenario has been tested or implemented, I would be grateful if you
> could share any insights regarding the experience, particularly concerning:
>
> 1. *Rule Overlap/Conflict:* Were there any significant conflicts or
> *Twitter:* *@MichaelBullut* <https://x.com/MichaelBullut>
> *Blog:* *http://www.kipsang.com/ <http://www.kipsang.com/>*
> *E-mail Address:* *ma...@kipsang.com* <ma...@kipsang.com>
>
> ---
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> Virus-free.www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> --
> You received this message because you are subscribed to the Google Groups "OWASP CRS project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAGy%2BNY363jx0iA91eG7_DVsyoFzjzhy7zdPHHDFpA%3DmtSP8oAQ%40mail.gmail.com.
You did not get a response for your question. That means that nobody really
has any experience with this on a level that can be shared. And that's
consistent with what I hear from other people. I know nobody doing that.
Yet based on experience we can say a few things:
The WP rule exclusion plugin is actively maintained and people are really
using it. While it does not really cover plugins, chances are the hardening
plugins won't kill CRS completely or we would have heard about it.
Maybe you also want to look into Azurit's CRS WP hardening plugin. See plugin
registry.
And if you make any experience and come up with extended rule exclusions
based on these WP plugins, then please share by all means.
On Thu, Nov 27, 2025 at 11:16:38AM +0300, 'Michael Bullut' via OWASP CRS project wrote:
> I hope this e-mail finds you well.
responding.
Cheers,
Christian
>
> I am writing to inquire about the experiences of the CRS team regarding a
> specific deployment scenario involving ModSecurity running the Core Rule
> Set (CRS) in conjunction with popular WordPress security plugins.
>
> Specifically, I am interested to know if the project team, or any members,
> have implemented ModSecurity CRS on a WordPress instance that also has one
> or more comprehensive security plugins enabled, such as Wordfence Security
> and/or WP Cerber Security.
>
> If this scenario has been tested or implemented, I would be grateful if you
> could share any insights regarding the experience, particularly concerning:
>
> overlaps between the CRS rules and the firewall/security features provided
> by the WordPress plugins?
> 2. *False Positives:* Did the combined use of the WAF and the security
> by the WordPress plugins?
> plugins lead to a noticeable increase in legitimate traffic being blocked?
> 3. *Performance:* What was the observed impact on the overall server
> performance (CPU/memory usage, latency) compared to running either the CRS
> or the plugins alone?
> 4. *Configuration/Tuning:* Were any specific CRS rule exclusions or
> or the plugins alone?
> configurations required to make the setup stable and functional alongside
> the plugins?
>
> Any information, even anecdotal experience, would be highly valuable as we
> evaluate the best security posture for our WordPress environments.
>
> Thank you very much for your time and for your continuous work on the Core
> Rule Set.
>
> Warm regards,
>
> Michael Bullut.
>
> ---
>
> *Cellphone:* *+254 723 393 114.*
> the plugins?
>
> Any information, even anecdotal experience, would be highly valuable as we
> evaluate the best security posture for our WordPress environments.
>
> Thank you very much for your time and for your continuous work on the Core
> Rule Set.
>
> Warm regards,
>
> Michael Bullut.
>
> ---
>
> *Twitter:* *@MichaelBullut* <https://x.com/MichaelBullut>
> *Blog:* *http://www.kipsang.com/ <http://www.kipsang.com/>*
> *E-mail Address:* *ma...@kipsang.com* <ma...@kipsang.com>
>
> ---
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> Virus-free.www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> --
> You received this message because you are subscribed to the Google Groups "OWASP CRS project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAGy%2BNY363jx0iA91eG7_DVsyoFzjzhy7zdPHHDFpA%3DmtSP8oAQ%40mail.gmail.com.
Jozef Sudolsky
Dec 2, 2025, 7:43:25 AM (21 hours ago) Dec 2
to modsecurity-core...@owasp.org
Hi Michael,
some of my customers are running WordPress with Wordfence on my
infrastructure, which is also protected using CRS. Even though I can't
say by myself if it's running ok, i have not receive any complains
regarding Wordfence so far. Also, i'm not using any exclusion rules
related to Wordfence itself (although i'm using more than 500 of them
for various WordPress plugins and themes).
Jozef
Citát 'Christian Folini' via OWASP CRS project
<modsecurity-core...@owasp.org>:
> https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/aS7bKKYmCtjWKin7%40leander.
some of my customers are running WordPress with Wordfence on my
infrastructure, which is also protected using CRS. Even though I can't
say by myself if it's running ok, i have not receive any complains
regarding Wordfence so far. Also, i'm not using any exclusion rules
related to Wordfence itself (although i'm using more than 500 of them
for various WordPress plugins and themes).
Jozef
Citát 'Christian Folini' via OWASP CRS project
<modsecurity-core...@owasp.org>:
Reply all
Reply to author
Forward
0 new messages