WordPress display 404 after updating post ?

This bug is annoying me a very long time. In WordPress, after updating or saving a new post or existing post, sometime, it will redirect to a 404 page, and this is happening randomly, no idea to identify what is the root caused.

After read few similar posts – this and this, I find out this is due to the mod_security filtering installed on Apache – If a post contains certain pre-defined dangerous “word combination” like “exec” or “SQL inject commands” like “insert”, the post will be filtered and WordPress just return a 404 page.

Here’s my solution :

1. Disabled mod_security

Many suggest disable the mod_security module by putting following rules in .htaccess.

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterPost Off

<IfModule mod_env.c>

Unfortunately, the above solution is not working for me. Digging into httpd.conf, find out that my Apache is using latest mod_secuirty2, then I try following rule again :

<IfModule mod_sec2.c>
SecFilterEngine Off
SecFilterPost Off

But, not working either. You can try your luck 🙂

2. Bypass mod_security Rules

After Googling, find out that “mod_security 2” is no longer support .htaccess overrides, you need to bypass those rules via config file manually.

To fix it, find ‘/usr/local/apache/conf/modsec2/exclude.conf, and append below content at the beginning of the file.


<locationmatch "/wp-admin/post.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017

WordPress uses /wp-admin/post.php to update the post, now, mod_security will bypass the rules – 300013, 300015, 300016, 300017. Restart Apache server. Update the previous problem-post again, it’s now updated successfully, no more redirect to 404 page, it works!

You can also put the ignore rules in /usr/local/apache/conf/modsec2/whitelist.conf.

3. Which Rule Id To Filter?

Wait, how do we know which rules to filter? You can find this information in modsec_audit.log – All filtered or intercepted URLs will be logged in this file.


# your problem-post URL here...

Message: Access denied with code 500 (phase 2). Pattern match "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\
\*| |\\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+
[A-Z|a-z|0-9|\\*| |\\,]|UNION SELECT.*\\'.*\\'.*,[0-9].*INTO.*FROM)" at REQUEST_BODY. 

[file "/usr/local/apache/conf/modsec2.user.conf"] [line "345"] [id "300013"] [rev "1"] 

[msg "Generic SQL injection protection"] [severity "CRITICAL"]
Action: Intercepted (phase 2)


Filter by URL or your IP, to identify which rules are triggered when you update the post. In the above case, the post’s URL hits rule “300013“, and you need to bypass this rule id in order to update the post.

Check your http.conf, mod_security logs may have logged the error messages to somewhere else, do consult your hosting provider for detail.


  1. Using Transactional Variables Instead of SecRuleRemoveById
  2. 404 error after editing update post
  3. Clicking update page result in a 404
  4. WordPress error 404 when publishing or saving post
  5. WordPress mod security 2
  6. Weird 500 internal server error on WordPress resolved

About the Author

author image
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.


4 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
3 Comment authors
BajioMarlon LeiteRudiyantone Lima Recent comment authors
newest oldest most voted
mod_security blocking my IP when editing post in Wordpress

[…] WordPress Display 404 After Updating Post […]

Rudiyantone Lima
Rudiyantone Lima

thaks very much……. i like it for article

Marlon Leite
Marlon Leite

cool, thx 😉


Thanks, this was really helpful to me, i had to chat with my hosting company to effect those changes. You have always been impacting both my wordpress and android journey.