Configuring ModSecurity in cPanel

ModSecurity is a Web Application Firewall (WAF) that protects your website from common attacks including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.

What Is ModSecurity?

ModSecurity inspects incoming HTTP requests and blocks those that match known attack patterns. It runs at the server level and protects all websites on the server automatically.

Accessing ModSecurity Settings

1. Log in to cPanel
2. Go to Security section
3. Click ModSecurity

ModSecurity Status

You can toggle ModSecurity for individual domains:

Warning: Only disable ModSecurity if a specific rule is causing a false positive. Re-enable it as soon as the issue is resolved.

Handling False Positives

Sometimes ModSecurity blocks legitimate requests. Common scenarios:

• Saving content in a CMS editor that contains HTML or code
• Uploading files with certain content patterns
• Using admin features that trigger security rules

How to Identify a False Positive

1. You see a 403 Forbidden or 406 Not Acceptable error
2. The error occurs when performing a specific action
3. The action worked before or works on other sites
4. Check the error log in cPanel for ModSecurity entries:

ModSecurity: Access denied with code 403 (phase 2). [id "12345"] ...

Resolving False Positives

Option 1: Temporarily disable for your domain

1. Go to ModSecurity in cPanel
2. Click Off next to the affected domain
3. Perform the blocked action
4. Re-enable ModSecurity immediately after

Option 2: Contact support

Provide the error log entry with the rule ID (e.g., id "12345"). Our team can whitelist specific rules for your domain.

What ModSecurity Protects Against

SQL Injection

Blocks requests that attempt to inject malicious SQL queries through form inputs or URLs.

Cross-Site Scripting (XSS)

Prevents attackers from injecting malicious JavaScript into your web pages.

Remote File Inclusion

Blocks attempts to include malicious files from external servers.

Directory Traversal

Prevents attempts to access files outside your web root using ../ patterns.

Command Injection

Blocks attempts to execute system commands through web inputs.

Best Practices

1. Keep ModSecurity enabled — It is your first line of defense
2. Update your CMS and plugins — ModSecurity catches known vulnerabilities, but updating prevents them entirely
3. Report false positives — Contact support so we can fine-tune rules without reducing security
4. Do not disable permanently — If you must disable ModSecurity, always re-enable it after completing the blocked task
5. Monitor your error logs — Regularly check for blocked requests that might indicate attack attempts

ModSecurity and WordPress

WordPress users may encounter ModSecurity blocks when:

• Saving posts with HTML or JavaScript content
• Using page builders that generate complex markup
• Running security plugins that perform their own scanning

Solutions:

1. Use the WordPress editor in Visual mode instead of Code mode
2. Temporarily disable ModSecurity for bulk content updates
3. Contact support to whitelist specific rules

Troubleshooting

403 Error When Saving Content

1. Check the error log for the ModSecurity rule ID
2. Temporarily disable ModSecurity for the domain
3. Save your content
4. Re-enable ModSecurity
5. Contact support with the rule ID for a permanent fix

406 Error on File Upload

1. The file content may match a malware signature
2. Try renaming the file
3. If legitimate, contact support with details

Slow Page Loading

ModSecurity adds minimal overhead. If pages are slow:

• The cause is likely elsewhere (database, PHP, resources)
• Check CloudLinux resource usage
• ModSecurity does not significantly impact performance

Related Articles

• Understanding Imunify360
• Security Best Practices

Need help? Contact our support team at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.