Hopefully I will NOT get a response like this,
"please ask them to write to us for white-listing".
Here is a copy of my conversation with HostGator thus far. I'll update this thread again once I hear more. Hopefully they'll provide a well-thought-out, long-term, solution so we can continue to recommend HostGator as a viable solution for WordPress/s2Member.
Welcome to GatorChat!
Your Chat ID is 4559257.
Your question is:
"The mod_security extension for Apache, as it affects the s2Member plugin for WordPress installations at HostGator. I'm the s2Member Lead Developer."
(12:50:49 PM) Corey Sc: Welcome to HostGator Live Chat, my name is Corey. How can I help you today?
(12:53:02 PM) Jason: Hi there. Hope you're doing well today! My name is Jason Caldwell. I'm the Lead Developer for s2Member.com, providing a popular e-commerce plugin for WordPress. http://www.s2member.com/ Recently, we've had numerous complaints from our customers regarding the mod_security extension for Apache, as configured by HostGator. It seems that recent changes in your mod_security ruleset have caused various parts of s2Member's functionality to break. I'd like to speak with someone that can help get the s2Member application URLs whitelisted across your network so this is not an ongoing issue. I've posted an article here explaining the issue: viewtopic.php?f=36&t=14787
(12:54:16 PM) Corey Sc: Just a moment please, while I check on this, Jason.
(12:55:57 PM) Jason: Thank you Corey. Just to give you full disclosure, I will be re-posting our conversation to our own clients reporting this issue, so they know that we're working toward a solution with you ( i.e. HostGator ).
(12:58:37 PM) Corey Sc: Alright, Jason, that's understandable.
(01:00:01 PM) Corey Sc: Unfortunately for security reasons we can't whitelist this across our servers. However, users of your plugin are free to come to us individually to have this whitelisted, which you could put in the readme file of your plugin.
(01:06:18 PM) Jason: Thank you. Right, and that's what our customers have been forced to do recently. The trouble is, how many site owners know what mod_security is? For that matter, how many of them do you think leave HostGator, and/or s2Member for that matter, because the application produces 403 errors on HostGator? See where I'm going? I would understand this if s2Member was doing something that *should* be considered suspect, but I'm finding nothing unique about the s2Member application in this regard. That is, URLs with encrypted data in query strings is a VERY common practice. So what can I do to help prevent this problem from every occurring in the first place, for the benefit of both s2Member and HostGator?
(01:08:54 PM) Corey Sc: I understand that this can be troublesome, and I do apologize, however we do have specific security reasons for not having them whitelisted, but if you feel this is something we should look into whitelisting across our servers you can email feedback@hostgator.com.
(01:10:05 PM) Jason: I should also mention that we currently work with MediaTemple, Rackspace, Dreamhost, XLHost, and many other hosting companies, none of which have this problem with the s2Member application. Thus, it seems that HostGator (to your credit), has tighter security. But is it too tight?
(01:11:40 PM) Jason: Corey. Please don't refer me to a feedback address. If you have a higher-up that I can call directly, I'll be happy to discuss this matter with them if you prefer, but I've been around long enough to know better than to send an email to feedback@ addresses
Nothing ever gets resolved that way. You see where I'm coming from?
(01:13:08 PM) Corey Sc: Yes, I understand, Jason.
(01:18:54 PM) Jason: OK great! Thank you. So can you please send this article to your higher-ups on my behalf? Along with a copy of our conversation here? I'm sure you can get this to the right person for us faster than I can through a feedback address. The "Known Problematic Areas" listed in that article should be enough for your techs, I would think. That being said, if there is more information needed, please let me know. Article outlining the issue: viewtopic.php?f=36&t=14787
(01:21:47 PM) Corey Sc: Alright, one moment, please.
(01:22:24 PM) Jason: Certainly. I'm a patient person.
(01:22:38 PM) Corey Sc: Thank you, I very much appreciate your patience.
(01:26:28 PM) Corey Sc: I will be more than happy to create a formal ticket for you about this issue and have it immediately escalated to a member of our Quality Assurance team who will ensure that it ends up with the right Management team member so that you can get prompt assistance with this matter, as I understand that it impacts your clients as much as it does ours. If you would like, I can also note a Callback number to request a callback once that has been escalated. Would that be okay?"
(01:27:39 PM) Jason: Very welcome, and thank you as well. It will be great to have this resolved, or at least into the right person's inbox so we can work toward a long term solution in this regard. Yes, certainly. Please have them email me directly at XXX, or to XXX, or call our office and ask for me by name at: XXXXXXXXXX.
(01:28:53 PM) Corey Sc: Alright, allow me a minute to set up this ticket for you.
(01:29:05 PM) Jason: Thank you Corey. Waiting patiently.
(01:32:01 PM) Corey Sc: Okay, I've created this ticket for you. I'm having this escalated right away.
(01:32:39 PM) Jason: Thank you Corey. You've been most helpful. I'll keep a log of our conversation and follow-up on this in a few days. Anything more you need from me right now?
(01:34:05 PM) Corey Sc: I'm glad to help, Jason. That should be it.
(01:39:13 PM) Corey Sc: Was there anything else you needed?
(01:39:26 PM) Jason: OK. Nope, that's it. Thank you! Have a great day!
Statistics: Posted by Jason Caldwell — September 13th, 2011, 1:46 pm
]]>