How to Fix the mod_security Error

Mod_security is a server-side error. Error Message: “Not acceptable! An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.”

Looking for ways to fix the Mod_Security Error? Here are a few quick fixes you can do to fix it.

ModSecurity is an open-source web application firewall (WAF) supported by web servers like Apache, Nginx, and IIS. WAFs ensure the security of web-based software programs by detecting and preventing attacks before they reach them.

Mod_security comes with a Core Rule Set (CRS) with different rules for protecting your website from attacks, such as cross-website scripting, bad user agents, SQL injection, Trojans, session hijacking, etc. 

Following is a screenshot of the mod_security error on a website.

Image credit: Infoinspired.com

The error simply states that you do not have permission to access the server or that your hosting company is blocking certain requests to its servers. 

Why does it happen?

As a security practice, every page request from your website is checked against various rules to filter out malicious requests. Sometimes, due to poor website coding, mod_security may incorrectly determine that a certain request is malicious and disable its access while it is legitimate. 

This is when you get the error.

Now, let us see how you can fix the error for your website. 

You can choose one of the three ways to get the error fixed. 

As you have already learned, it is a server-side error and the easier and safer fix for the error would be contacting your hosting provider. You can contact their support team and explain your issue. They will most likely solve the issue by disabling certain security rule(s) or by whitelisting the requested page. 

This method is not highly recommended as it will turn off the whole mod_security Apache module for your site, which might not be good for your site’s security.

To disable the mod_security error by using the .htaccess file do the following.

1. Back up your .htaccess file in the ‘wp-admin’ directory.
2. Create a ‘.htaccess’ file with the following content (by using any text editor).
3. Upload it to the ‘wp-admin’ directory.

later upload the .htaccedss file to your server. 

  <IfModule mod_security.c> 
  SecFilterEngine Off 
  SecFilterScanPOST Off 
  </IfModule>

If the solution above doesn’t work, try the one below.

1. Backup your .htaccess file if you have one in the public_html directory
2. Open the .htaccess file with any text editor
3. Update the file with the below content
4. Upload it to the ‘public_html’ directory

   <IfModule mod_rewrite.c> 
   RewriteEngine On RewriteBase / 
   RewriteCond %{REQUEST_FILENAME} !-f 
   RewriteCond %{REQUEST_FILENAME} !-d 
   RewriteRule . /index.php [L] 
   </IfModule>

With this method, you can disable mod_security only on specific URLs rather than your entire site, which is a better option in terms of security. You can specify which URLs to match via the regex in the <If> statement below. 

<IfModule mod_security.c> 
<If "%{REQUEST_URI} =~ m#/admin/#"> 
SecFilterEngine Off SecFilterScanPOST Off 
</If> 
</IfModule>

Although disabling mod_security is a solution to fix the error, it is best to consult your host and ask their opinion before you go with the fix.