Recently whilst working on a WordPress website for a client, I came across a problem. The site made use of the Advanced Custom Fields (ACF) Pro plugin – which lets you easily define custom fields to store data against posts / pages and custom options pages.
When saving a custom options page but with ACF, I was ending up at a 404 error page. Everything was working fine on the development version of the site on my local machine, but the server just wasn’t playing ball and I really couldn’t figure it out. Luckily, the ACF forums started to shed a little light on the problem when I read this thread.
It turns out that the 404 wasn’t being sent by WordPress (or ACF) – but by a module of the Apache web server, mod_security. It’s there to boost security by protecting your site from common exploits by running regular expressions on requests sent to the server. Something on my options was flagging up one of it’s rules.
Unfortunately this particular site was being hosted on a WHM / cPanel shared hosting platform which meant I had no access to the mod_security settings, so I had no idea what rules were in place, or which rule was being triggered. The only solution I could find was to disable the mod_security module via cPanel – which is less than ideal. If you have full control over your server, you should be able to review the mod_security rules and tweak them to your requirements.
Looking back, I am surprised it generates a 404 response – something like a 403 (Forbidden) would be more appropriate – after all the page exists, but the server is denying us access to make the request.
Moral of the story? Make sure your development / test environment matches your production environment as closely as possible.