Disable ModSecurity Rule

Noah A.
  • Updated
Follow

ModSecurity, sometimes called Modsec, is an Apache module and open-source web application firewall that helps to protect your website from various attacks and exploits.

However, it can also sometimes block legitimate requests, resulting in a 406 error when trying to complete a specific action or access a web page. While disabling ModSecurity will prevent these errors, it is not recommended to do so.

Instead, the preferred solution is to disable the specific ModSecurity rule that is causing the issue. Here we cover the steps to determine and disable a ModSecurity rule that is inhibiting website functionality on your VPS or Dedicated server.

Related Articles

How to SSH into VPS or Dedicated Servers
Enable/Disable ModSecurity Using cPanel
Check Apache Error Log
 

Disable ModSec Rule

IMPORTANT: This solution will require root access. If this needs to be obtained, follow the guide on requesting root access.

  1. Review your Apache error log for a line similar to the following example

    [Wed Nov 13 xx:xx:xx.xx xxxx] [:error] [pid 27189] [client xx.xx.xx.xx:xxxxx]
    [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2).
    Operator GE matched 1 at TX:brute. [file "/etc/apache2/conf.d/imh-modsec/40_wordpress.conf"]
    [line "27"] [id "13052"] [msg "POST to wp-login.php without redirect_to"]
    [severity "WARNING"] [tag "WEB_ATTACK/SHELL ACCESS"] [hostname "domain.com"]
    [uri "/wp-login.php"] [unique_id "Xcw0ipq6HORiGQf95hXF2gAAAAs"], referer:
    https://domain.com/wp-login.php
  2. Locate the ID
    EXAMPLE: In the example log entry from step 1, the information we are looking for is [id "13052"].
  3. Log into Root WHM
  4. Expand the Security Center drop-down and select ModSecurity Tools
    WHMModSecTools.png
     
  5. Click the Rules List button in the top right
    ModSecRulesList.png
  6. Click Add Rule
    ModSecAddRule.png

  7. Under Rule Text, add the following, replacing [id] with the ID of the rule found in the Apache error log

    SecRuleRemoveById [id]

    REPLACE: [id] with the ID of the rule found in the Apache error log.
    EXAMPLE:  SecRuleRemoveById 13052
     

  8. Ensure Enable Rule and Deploy and Restart Apache are enabled
    WHMModSecRules.png
  9. Click the Save button

Related articles

Comments

0 comments

Article is closed for comments.