diff --git a/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf b/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
index efabd1aac393ce97c262ff7f391359fbdbe3be2c..7ef68b7b2f6614d02f7f98e57cb7d97204a1c2cc 100644
--- a/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+++ b/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
@@ -32,24 +32,44 @@ SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/posts/" \
     nolog,\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:content"
 
-# Make the eventlist plugin work.
+# Make the eventlist plugin work (SIGH for the lack of regexps).
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
     "id:1004,\
     phase:2,\
     pass,\
     nolog,\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][title],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][cat_filter],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][num_events],\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][location_length],\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][title],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][cat_filter],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][num_events],\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][location_length],\
-    ctl:ruleRemoveTargetByTag=language-powershell;ARGS:widget-event_list_widget[1][title],\
-    ctl:ruleRemoveTargetByTag=language-powershell;ARGS:widget-event_list_widget[1][location_length],\
-    ctl:ruleRemoveTargetByTag=language-powershell;ARGS:widget-event_list_widget[2][title],\
-    ctl:ruleRemoveTargetByTag=language-powershell;ARGS:widget-event_list_widget[2][location_length]"
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][title],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][cat_filter],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][num_events],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][location_length],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][title],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][cat_filter],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][num_events],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][location_length],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][title],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][cat_filter],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][num_events],\
+    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][location_length]"
+
+# More eventlist plugin workarounds.
+SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
+    "id:1005,\
+    phase:2,\
+    pass,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=language-powershell"
 
 # Filter out certain args (all URIs) for the pgp email plugin.
 SecRule REQUEST_URI "@beginsWith /" \
-    "id:1005,\
+    "id:1006,\
     phase:2,\
     pass,\
     nolog,\