I reinstalled Flock today and figured out what was preventing it from talking to my self-hosted blog, K-Squared Ramblings. The site is running on a stand-alone WordPress install, and I kept getting 403 Forbidden errors. (Not that I could tell. Flock hid the error and just told me something went wrong setting up the account.)

It turned out to be a setting in mod_security, an Apache module designed to limit attacks on web applications. Part of the sample filter—one that I kept because it seemed a reasonable precaution—was to block POST requests with content types other than application/x-www-form-urlencoded or multipart/form-data. However, XMLRPC uses text/xml, which was getting blocked.

There weren’t any problems reported, and none of the false positives I saw in the logs were related to the request content-type. So by the time I tried setting up Flock, it didn’t occur to me to check the mod_security log. I just figured it was a problem with my version of WordPress and left it at that.

This time, with a newer version of Flock, I decided to investigate. I found the 403 error in the server logs, checked the error log for detail, and saw the mod_security reference. A quick check of the audit logs, and there it was.

For now, I’ve loosened the content-type requirement slightly. I’ll have to decide whether it’s worth keeping XMLRPC enabled, or whether I’m better off restoring the original rule.

SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;|^text/xml$)"

So, the moral of the story is: If you use Flock, and you can’t get it to tie into your self/third-party-hosted WordPress blog… check the ModSecurity settings.

*This was originally posted at kelson.wordpress.com, but I moved it over here after turning that site into a photo blog.

4 thoughts on “Flock and self-hosted WordPress

  1. Well, I didn’t have my website broken, but Flock certainly didn’t work with my self-hosted blog. Still trying to get that to work.

  2. Correction, my site is now dog slow. I’m getting scads of “File does not exist” errors, regarding a 404.shtml.

    Can you repost or update this one with clearer instructions on correcting the problem? I’ve tried pasting the code you provide into my htaccess file at various levels, but Flock never did cooperate with my blog.

    Problems, problems.

  3. These aren’t rules for your .htaccess file, they’re rules for your mod_security configuration. They’re intended to replace a pair of rules in what was, at the time, the sample filter.

    If your server doesn’t use mod_security, they aren’t going to help. Similarly, if your server does use mod_security, but doesn’t restrict the content type of POST requests, they aren’t going to help. Also, these were for mod_security version 1. The syntax might be different with version 2.

  4. I have Finalised a set of rules for ModSecurity Version 2.5.x that I have been using for a month or so now and they all seem to work. Thanks for pointing me in the right direction.

Comments are closed.