How to Fix the mod_security Error

Mode_security is a server-side error. Here are a few quick fixes you can do for it.

What is mod_security?

ModSecurity is an open-source web application firewall (WAF) supported by different web servers like Apache, Nginx, and IIS. Web application firewalls ensure the security of web-based software programs by detecting and preventing attacks before reaching them.

Mod_security comes with a Core Rule Set (CRS) that has different rules for protecting your website from various attacks such as cross-website scripting, bad user agents, SQL injection, trojans, session hijacking, etc. 

Why Does the mod_security Error Happen?

Following is a screenshot of the mod_security error on a website.

mode_security generated error

Image credit:

The error simply states that you do not have permission to access the server or that your hosting company is blocking some kind of requests to their servers. 

Why does it happen?

As a security practice, every page request from your website is being checked against various rules to filter out malicious requests. Sometimes, due to poor website coding, mod_security may incorrectly determine that a certain request is malicious, and disable its access while it is actually legitimate. 

This is when you get the error.

Now let us see the ways you can fix the error for your website. 

How to Fix the mod_security Error?

You can choose one of the three ways to get the error fixed. 

1. Contact your Host

As you have already learned, it is a server-side error and the easier and safer fix for the error would be contacting your hosting provider. You can contact their support team and explain your issue. They will most likely solve the issue by disabling certain security rule(s) or by whitelisting the requested page. 

2. Disable mod_security by using the .htaccess file

This method is not highly recommended as it will turn off the whole mod_security Apache module for your site, which might not be good for your site’s security.

To disable the mod_security error by using the .htaccess file do the following.

  1. Backup your .htaccess file in the ‘wp-admin’ directory
  2. create a ‘.htaccess’ file with the following content (by using any text editor).
  3. upload it to the ‘wp-admin’ directory.

later upload the .htaccedss file to your server. 

  <IfModule mod_security.c> 
  SecFilterEngine Off 
  SecFilterScanPOST Off 

If the above solution doesn’t work, you can try the one below.

  1. Backup your .htaccess file if you have one in the public_html directory
  2. Open the .htaccess file with any text editor
  3. Update the file with the below content
  4. Upload it to the ‘public_html’ directory
   <IfModule mod_rewrite.c> 
   RewriteEngine On RewriteBase / 
   RewriteCond %{REQUEST_FILENAME} !-f 
   RewriteCond %{REQUEST_FILENAME} !-d 
   RewriteRule . /index.php [L] 

3. Disable mod_security for Specific URLs

With this method, you can disable mod_security only on specific URLs rather than your entire site, which is a better option in terms of security. You can specify which URLs to match via the regex in the <If> statement below. 

<IfModule mod_security.c> 
<If "%{REQUEST_URI} =~ m#/admin/#"> 
SecFilterEngine Off SecFilterScanPOST Off 

Final Note

Although disabling mod_security is a solution to fix the error, it is best to consult your host and ask their opinion before you go with the fix. 

  • Was this article helpful?
  • YesNo