This was a fun one. A client was updating a simple page with availabilities for trips that they offer. This wasn’t a custom post type, there were no custom fields and really not a whole lot of plugins that would interfere. But when they hit Publish all they got was “Page not found”
Here’s a very short snippet of the text that they were posting:
Please feel free to call or write with any questions or to double check availability. ... lots of text Tour #10 = 12 seats remaining Tour #11 = 11 seats remaining Tour #12 = 9 seats remaining
No HTML, nothing else really special. Can you see the problem? Let me trim the text a bit to get closer to the problem:
Please feel free to call or write. Tour #11 = 11 seats remaining
Do you see it yet? Okay, let’s trim a little bit more. Hint, think about SQL.
Please feel free to call or write. 1 = 1
Let me highlight it a bit:
Please feel free to call or write. 1 = 1
Ahh… the good old SQL injection code of OR 1=1
which is has been used time and time again to break into sites.
It turns out that our web host has a mod sec rule in place for this and it was giving 500 level errors. For whatever reasons, WordPress was turning these into 404’s. We’re not sure why but once we disabled that rule (#300014 which is apparently from https://www.atomicorp.com/) everything started working.
I just wanted to post it here for future reference. Of course, I had to disable the rule on this site, too, before posting.