How to write mod_security friendly PHP code?

Question

I made a theme in WordPress which hit the mod_security rule on HostGator and gave 403 error.

I contacted people there(at HostGator) and they fixed it for me. But I don't want my theme to work like this.

I just wanted to know if there are any guides/blog post/tutorials telling about writing PHP code which is mod_security friendly?

I tried Google, but didn't find anything helpful.

Answer 1

I'm not sure there are many guides for this, especially since mod_security configuration varies from server to server.

The closest thing I would recommend is taking a look at the Core Rule Set Project. There's tons of rules in there. There's a lot of them.

Some general things to avoid would be:

• including function names in parameters
• using SQL queries/keywords (like SELECT, UPDATE, DELETE FROM) in the URL or POST
• using HTML in the url

What exactly triggers it may vary. If possible, I would ask the HostGater people what rule it triggered and try to get some feedback. If not setup mod_security on your private box (or a VM), and see if your theme triggers any of the rules in the core rule set.