Whitelisting an IP address in ModSecurity , WordPress troubleshooting, integration and automation.
I have been recently been using Integromat.com for some automation and integration work. IF you are wondering what it is, let me explain. Integromat helps automate processes that you currently handle manually. It is not only capable of connecting apps but can also transfer and transform data. It works 24 hours a day, seven days a week and does not require your intervention. Once configured you can simply let Integromat do what you want and let it work for you. Save your time!

While I was there I wanted to see if I was able to automate some social media cross-posting. This sounded simple, but and probably is for many people, but I ran into a few issues with ModSecurity triggering and blocking my integrations.
I started by creating a Scenario in Integromat to Connect to my WordPress blog, take the title and URL and cross-post it to Reddit and Discord. Simple! Not quite.
So for WordPress, you will need:
- A second user account, not your main Admin account (optional but recommended)
- Username (make this something random, not a word/name that can be guessed e.g 98h423r9uhwfieund)
- Password (make this something complex and 30 characters long, as you won’t be using 2FA for this account)
- And I used “Author” permissions.
Now, this is where I was getting issues. Authenticating to my WordPress site. I kept seeing error 403 coming up. Now I looked at all the plugins and security things that I thought could be blocking it but nothing was causing an issue that I could see. After many hours of digging and looking around at all areas of my server, it turned out my ModSecurity WAF was triggering a rule. At this point, I had to add a whitelist for the Integromat servers to bypass the troublesome rule that was blocking it.
A little research and we get this article from ModSecurity . Having a read of this shows the syntax needed to be:
SecRule VARIABLES "OPERATOR" "TRANSFORMATIONS,ACTIONS"
For us to be able to create the whitelist we need to:
- Connect to the underlying server that is hosting the WordPress via SSH (or ask your hosting provider to do the next steps)
- Create a file that will be used for IP whitelisting
This might be slightly different, depending on your setup as you might be using different rules
For Debian based systems (Ubuntu/Debian):nano /etc/apache2/modsecurity.d/<RULE-SET-NAME>/000ipwhitelist.conf
For RHEL based systems (CentOS/CloudLinux):nano /etc/httpd/conf/modsecurity.d/rules/<RULE-SET-NAME>
/000ipwhitelist.conf
And in that 000ipwhitelist.conf
file add the following rules:
#Whitelisting Rules for Integromat.com - Date: xx/xx/xxxx
SecRule REMOTE_ADDR "@IPMatch 82.208.14.110/31" "phase:1,log,allow,ctl:ruleEngine=Off,id:00001"
SecRule REMOTE_ADDR "@IPMatch 82.208.14.112/29" "phase:1,log,allow,ctl:ruleEngine=Off,id:00002"
These IP ranges are taken from the Integromat website. Now reload the ruleset and this will whitelist any ModSecurity block. Finally, after getting that out of the way, we can go back to the Integromat website and test our WordPress authentication. It works!!
We can now setup the below scenario.

And for Reddit, you will need:
- A subreddit you can spam, I mean post to 🙂
- The ability to login to your Reddit account and give Integromat permissions.
And for Discord, you will need:
- A channel you can spam, I mean post to 🙂
- The ability to login to your Discord account and give Integromat permissions.
Once you have done all of that
Add a WordPress service to your scenario, and choose “Watch Posts”, choose Type: Posts and Limit: xx
Click on OK.

Now “Right-Click” and click on “Run this module only” and after a while you will get a number pop up at the top. This shows it has pulled a recent post in.

Now you will want to add Reddit and click on the service and choose what information that was just pulled in (above) that you want to use to post to Reddit. I went with Link Post, Title and URL and my own subreddit to post to.
You may be interested in...

Now do the same for Discord

Now you want to click OK. The next step is to ensure
- The services are connected
- You tested it by clicking “Run Once”
- You Saved it once you are happy it’s working
- You enable “Scheduling”, this will now automatically hook into any new post made on WordPress

This is just a very basic guide, there are some incredibly complex things that it can do. I for one will be playing with some more complex automation.
Now go and play with the hundreds of services available over at Integromat.com