WordPress and ModSec using the OWASP Rule Set

Running WordPress and Mod Security together can be a challenge but we have been doing it successfully for a few years now so I thought I’d share our Global Disable list and User configuration settings.

These rules are globally disabled in /usr/local/apache/conf/modsec2.whitelist.conf:

These rules are more specific and are written to the /usr/local/apache/conf/modsec2.user.conf file:

Filtering Referral Spam in Google Analytics

Referral spam can seriously mess with your data in Google Analytics.

Using the filter function can block spammy domains and improve the accuracy of your stats.

  • Edit the View for the website (Property) in question
  • Create a New Filter
  • Set Filter Type to Custom
  • Set to Exclude
  • Select filter field to Referral
  • Create regex expression to filter those spammy domains

Here is an example of such regex based on spam referrals in the data for one of our own sites


Enable or Disable Automatic Updates of WordPress Core, Themes and Updates using Functions.php

Placing this in functions.php will enable automatic updates of the WordPress core, plugins and themes.



disables said updates.

These can be further refined to limit the level of updates and include only certain plugins.

Details to be found here:


Child Themes Done the Right Way using functions.php

Was a time when linking a child theme to the parent theme was done via an import in the style sheet.

No more, now the best way to do this is via the functions.php file as follows:

NOTE: You still need the parent to be specified in the comments at the top of the child theme style sheet as follows:



Migrate Multiple Domains to New Domain Using .htaccess

Ok so you have multiple domains all pointing to your main domain where your site lives.

But now you want to change the main domain, so you need to redirect all requests, for all the alias domains, to the new main domain and generate a 301 response so search engines and browsers know that the pages have all been moved permanently.

You also want to retain the page urls intact.

This worked well for me:

This works like this:

If the host (domain) is anything other than your new domain, capture the page URL, rewrite the host domain to the new one, add the page url and send a 301 response.

Scam – NZ Post – The agent was not able to bring your package

I received and email purporting to be from NZ Post this morning telling me that they could not deliver a package.

It all looks very genuine but didn’t feel quite right.

Very realistic email from NZ Post

Very realistic email from NZ Post

However when you dig a bit deeper it all starts looking nasty:

  • The from address is *****
  • The link of the “Save Label” button is
  • The last sentence looks a bit menacing “If the parcel isn’t accepted within 30 serving days New Zealand Post will have the reason to claim compensation from you for it’s storing in the sum of 2.32 NZ$ for every hour of keeping.”

So all in all it’s one to avoid clicking on.

Bin it and move on with your life.

cPanel Email Error: “retry time not reached for any host after a long failure period”

This can be caused by a corrupt database file.

Fix it by running the following SSH commands as root:



International Online Database of Registered Trade Marks -Scam

We recently received an unsolicited letter from IDRTM (International Database of Registered Trademarks) asking for the princely sum of $1,638 to include one of our Trade Marks in their online database.

They do indeed have a website on which you can search for trade marks etc but you have to ask yourself why would you want to be in such a database when it is already easy to search trade marks via the Governments own site

The letter they send you looks like a request for payment but doesn’t say anywhere obvious that you are under no obligation to pay them anything so my concern is that some folk will pay for this service, thus wasting $1638 of their hard earned cash.

If you get such a letter, consider it carefully before sending them any money.

The small print includes the following;

  • “This publication is an elective service and does not substitute for registration nor does it prolong the validity of your trade mark with IPONZ”
  • “You may terminate this agreement….. (but)…. you will not be entitled to a refund”

In my view it is letter is deceptive and misleading so should be consigned to bedding for the hens.

Simple Down for Maintenance Page using .htaccess


To put a site into maintenance mode put either of the following in an .htaccess file in the site root.

1) Very simple

The “allow from” line permits access only from the given IP address.

2) More complex but more flexible and might work better on some servers

Allowed IP addresses can be listed as shown. Images aren’t blocked and maintenance.php is allowed to prevent looping.


Create the page “maintenance.php”  which can detail the reason why the site is down and give contact details to, hopefully avoid a missed sale or booking.

Example Maintenence.php:


Contact Form 7 Thank You Page

To redirect to a thank you page add this to the “Additional Settings” field:

This can be useful to track form submissions via Google Analytics and to invite the visitor to stay on the site