Posted: August 4th, 2016
Topics: Wordpress, GoDaddy
I had a client contact me a few days ago about a bizarre issue that I had never seen before. Not only had I never experienced a 406 error when using WordPress, I had never even heard of a a 406 error. Something new every day.
The 406 error was occurring when a user attempted to use/edit any of the WordPress core PHP files, specifically post.php
Basically, this file is referenced when updating posts/pages and — even more annoyingly — when using the “preview” function. Essentially, if you run into this you can’t do anything.
A simple Google query of “wordpress 406 error” returns a pretty interesting catalogue of WordPress forum threads from anywhere between 2007-2014. Variations of that query return pretty similar results.
All of the effective solutions came from users who mentioned bypassing mod_security. Even non-Wordpress websites who ran into this issue pretty much all had one common denominator: GoDaddy.
This specific client runs WordPress on a standard Linux with cPanel configuration, so I contacted general hosting support. Despite some terrible support from GoDaddy in the past, the woman who helped me in this situation was actually pretty fantastic.
I thought it was pretty odd that an issue for which the general consensus points to being a solely GoDaddy issue wasn’t on her radar, but whatever. She pulled up some old documentation which instructed me to add the following command to .htaccess:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Apparently, you can’t directly bypass modsecurity through .htaccess anymore, so back to the drawing board. A few threads has mentioned that only GoDaddy sysadmins can enforce or scale down these modsecurity settings, so I requested a tech scale them back.
As it turns out, the modsecurity settings are automatically scaled up when any suspicious files are detected on your dedicated server or install — whatever you’re working with. Long story short, I requested the site be unflagged as having a security threat, reset all the passwords, and the issue was fixed.
Bottom line, if you’re seeing a 406 error on GoDaddy hosting, contact your hosting support and ask them to check if your site has been flagged. If so, scan for any suspicious files/activity, take appropriate action, then make sure a sysadmin scales down the mod_security settings.
Hope this saves you the last 3-4 hours I spent figuring it out.