Mod_security is a server-side error. Here are a few quick fixes you can do for it.
What is mod_security?
ModSecurity is an open-source web application firewall (WAF) supported by different web servers like Apache, Nginx, and IIS. Web application firewalls ensure the security of web-based software programs by detecting and preventing attacks before reaching them.
Mod_security comes with a Core Rule Set (CRS) that has different rules for protecting your website from various attacks such as cross-website scripting, bad user agents, SQL injection, trojans, session hijacking, etc.
Why Does the mod_security Error Happen?
Following is a screenshot of the mod_security error on a website.
Image credit: Infoinspired.com
The error simply states that you do not have permission to access the server or that your hosting company is blocking some kind of requests to their servers.
Why does it happen?
As a security practice, every page request from your website is being checked against various rules to filter out malicious requests. Sometimes, due to poor website coding, mod_security may incorrectly determine that a certain request is malicious, and disable its access while it is actually legitimate.
This is when you get the error.
Now let us see the ways you can fix the error for your website.
How to Fix the mod_security Error?
You can choose one of the three ways to get the error fixed.
1. Contact your Host
As you have already learned, it is a server-side error and the easier and safer fix for the error would be contacting your hosting provider. You can contact their support team and explain your issue. They will most likely solve the issue by disabling certain security rule(s) or by whitelisting the requested page.
2. Disable mod_security by using the .htaccess file
This method is not highly recommended as it will turn off the whole mod_security Apache module for your site, which might not be good for your site’s security.
To disable the mod_security error by using the .htaccess file do the following.
- Backup your .htaccess file in the ‘wp-admin’ directory
- create a ‘.htaccess’ file with the following content (by using any text editor).
- upload it to the ‘wp-admin’ directory.
later upload the .htaccedss file to your server.
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>If the above solution doesn’t work, you can try the one below.
- Backup your .htaccess file if you have one in the public_html directory
- Open the .htaccess file with any text editor
- Update the file with the below content
- Upload it to the ‘public_html’ directory
<IfModule mod_rewrite.c>
RewriteEngine On RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>3. Disable mod_security for Specific URLs
With this method, you can disable mod_security only on specific URLs rather than your entire site, which is a better option in terms of security. You can specify which URLs to match via the regex in the <If> statement below.
<IfModule mod_security.c>
<If "%{REQUEST_URI} =~ m#/admin/#">
SecFilterEngine Off SecFilterScanPOST Off
</If>
</IfModule>Final Note
Although disabling mod_security is a solution to fix the error, it is best to consult your host and ask their opinion before you go with the fix.
- Was this article helpful?
- Yes, thanks!Not really
Comments (5)
marks
August 23, 2022
I’m using CyberPanel OLS, how can this rule work with OpenLiteSpeed?
Mark
August 26, 2022
Hi Marks,
We are sorry that we are a little out of depth on your query. Kindly try contacting your hosting support. They will surely be able to provide better insight in the matter.
Mary Teyssier
September 9, 2021
Cannot log into my Lake Ashton Living account. Keep getting error comment.
Mark
September 13, 2021
Hi Mary,
If you are having an issue with the account in webtoffee.com, please submit a ticket here.
Fredy Andino
July 20, 2021
Excelente explicación. Saludos