ModSecurity is a Web Application Firewall (WAF) that runs on the web server and inspects incoming HTTP requests. It blocks common attacks such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities before they reach your website.
Please note: Screens and options may vary slightly depending on your cPanel version and hosting plan.
Accessing ModSecurity Settings
- Log in to your cPanel account.
- In the Security section, click ModSecurity (if available).
- You'll see a list of your domains with ModSecurity status (On/Off) for each.
Enabling or Disabling ModSecurity
You can toggle ModSecurity on or off per domain:
- On the ModSecurity page, find the domain.
- Click the toggle to switch it on or off.
Warning: Disabling ModSecurity removes an important layer of protection. Only disable it temporarily for troubleshooting, and re-enable it as soon as possible.
When ModSecurity Blocks Legitimate Requests
Sometimes ModSecurity's rules are too aggressive and block legitimate actions (e.g. saving a blog post, submitting a form, or uploading a file). Signs include:
- 403 Forbidden errors when submitting forms.
- 406 Not Acceptable errors.
- Unexpected "Access Denied" messages.
Troubleshooting False Positives
- Check your Error Logs (in the Metrics section) for ModSecurity-related entries. These will include a rule ID.
- If you identify a specific rule causing the issue, contact your hosting provider with the rule ID and ask them to whitelist it for your account.
- As a temporary workaround, you can disable ModSecurity for the affected domain while awaiting a fix.
What ModSecurity Protects Against
- SQL Injection — Attempts to manipulate database queries through user input.
- Cross-Site Scripting (XSS) — Injecting malicious scripts into web pages.
- File Inclusion — Tricking the server into loading malicious files.
- Command Injection — Executing system commands through vulnerable applications.
- Brute Force Attacks — Rapid login attempts.
Tips
- ModSecurity is managed at the server level. You can toggle it on/off per domain, but you can't modify individual rules through cPanel. Contact your hosting provider for rule adjustments.
- Keep ModSecurity enabled at all times unless you're actively troubleshooting a confirmed false positive.
- ModSecurity works alongside other security measures (Imunify360, SSL, strong passwords) — it's one layer in a defence-in-depth strategy.
- Some WordPress plugins or themes may trigger ModSecurity rules. Updating to the latest versions often resolves these issues.
What Next?
- Blocking IP Addresses — Manually block specific threats.
- Understanding Imunify360 Security — Additional server-level protection.
