How to fix the mod_security error

Mod_security is a server-side error. Here are a few quick fixes you can do for it.

ModSecurity is an open-source web application firewall (WAF) supported by different web servers like Apache, Nginx, and IIS. Web application firewalls ensure the security of web-based software programs by detecting and preventing attacks before reaching them.

Mod_security comes with a Core Rule Set (CRS) that has different rules for protecting your website from various attacks such as cross-website scripting, bad user agents, SQL injection, trojans, session hijacking, etc. 

Following is a screenshot of the mod_security error on a website.

Image credit: Infoinspired.com

The error simply states that you do not have permission to access the server or that your hosting company is blocking some kind of requests to their servers. 

Why does it happen?

As a security practice, every page request from your website is being checked against various rules to filter out malicious requests. Sometimes, due to poor website coding, mod_security may incorrectly determine that a certain request is malicious, and disable its access while it is actually legitimate. 

This is when you get the error.

Now let us see the ways you can fix the error for your website. 

You can choose one of the three ways to get the error fixed. 

As you have already learned, it is a server-side error and the easier and safer fix for the error would be contacting your hosting provider. You can contact their support team and explain your issue. They will most likely solve the issue by disabling certain security rule(s) or by whitelisting the requested page. 

This method is not highly recommended as it will turn off the whole mod_security Apache module for your site, which might not be good for your site’s security.

To disable the mod_security error by using the .htaccess file do the following.

1. Backup your .htaccess file in the ‘wp-admin’ directory
2. create a ‘.htaccess’ file with the following content (by using any text editor).
3. upload it to the ‘wp-admin’ directory.

later upload the .htaccedss file to your server. 

  <IfModule mod_security.c> 
  SecFilterEngine Off 
  SecFilterScanPOST Off 
  </IfModule>

If the above solution doesn’t work, you can try the one below.

1. Backup your .htaccess file if you have one in the public_html directory
2. Open the .htaccess file with any text editor
3. Update the file with the below content
4. Upload it to the ‘public_html’ directory

   <IfModule mod_rewrite.c> 
   RewriteEngine On RewriteBase / 
   RewriteCond %{REQUEST_FILENAME} !-f 
   RewriteCond %{REQUEST_FILENAME} !-d 
   RewriteRule . /index.php [L] 
   </IfModule>

With this method, you can disable mod_security only on specific URLs rather than your entire site, which is a better option in terms of security. You can specify which URLs to match via the regex in the <If> statement below. 

<IfModule mod_security.c> 
<If "%{REQUEST_URI} =~ m#/admin/#"> 
SecFilterEngine Off SecFilterScanPOST Off 
</If> 
</IfModule>

Although disabling mod_security is a solution to fix the error, it is best to consult your host and ask their opinion before you go with the fix.