Adding code to Thesis’ head section causes a 403 error
If you’re adding code to Thesis’ head section and get a 403 error, especially if you’re adding a link to a font or other resource, the problem may be related to the web application firewall protecting your site.
To check this out, as with most server-based errors, the first step is to check the log files on the server.
- Log in to Plesk
- Under “Websites and Domains”, click “Logs” for the domain
- In the “Type” dropdown (the second from the left) un-check “access”. This will only show you errors and warnings.
In the logs you may see something that looks like the following:
“`
ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:<LINK[\\\\s+/].{0,}?href[\\\\s+/]{0,}=)” at ARGS:thesis_html_head_scripts[thesis_html_head_scripts][scripts]. [file “/etc/httpd/conf/modsecurity.d/rules/comodo/07_XSS_XSS.conf”] [line “291”] [id “212980”] [rev “2”] [msg “COMODO WAF: IE XSS Filters – Attack Detected.
“`
Aha! So ModSecurity is blocking the request. It thinks there’s a cross-site-scripting attack taking place, but the reality is that it doesn’t like the way that Thesis packages the head code when it’s being submitted to the server. Never fear, we can get around this problem easily enough.
- Go back to the “Websites and Domains” view in Plesk.
- Click on “Web Application Firewall”.
- Under “Switch off security rules” paste the “ID” from the log (212980)
- Click OK or Apply to save.
That’s it! You should now be able to save your head information and the server won’t worry about a XSS attack.