Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Enabling ModSecurity (Updated)

For years, I’ve not used ModSecurity for any of my own sites. Way back when I first tried ModSecurity, there were just too many false positives, so I stayed away from it, opting instead to develop my own fast Apache/.htaccess firewall. But my web host now is telling me that ModSecurity is required on all of their managed VPS plans.

I would have left and moved my sites to another web host, but after some thought realized that it would take less time (hopefully) to enable and test ModSecurity than it would to relocate all of my sites to a new server. So, finally pulled the trigger and enabled ModSecurity on most of my sites. This article is simply a summary of the experience, and will be updated with any found bugs or false positives, etc.

Enabling ModSecurity

My web host provides Plesk as the server control panel, which makes it simple to enable (or disable) ModSecurity as needed. After checking the box and choosing some basic options, I mindfully clicked the “save changes” button and immediately went to check all of my domains..

All smooth so far..

After some time checking my sites, everything seems to be running smoothly. No problems so far, will keep my eye on it and report back with any issues.

Update 6 months later

Very happy to report that everything continues going smoothly with ModSecurity. I actively inspect the site’s access and error logs to keep a close eye on traffic. Turns out that ModSecurity is indeed blocking some bad requests, and working great together with 7G Firewall with no false positives or other issues.

Update another 3 months later

Still going good no issues or false positives after almost a year of enabling ModSecurity. And here I thought this was going to be interesting, lol.

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

3 responses to “Enabling ModSecurity (Updated)”

  1. I am currently on super shared hosting. The hosting has been running for a year without any issues and works great with firewall from hosting + Cloudflare + ModSecurity + 7G Firewall. Thank you for 7G Firewall

    The firewall from my hosting shows me blocked attacks from time to time, but most cut out ModSecurity and it complements 7G Firewall very well.

  2. Jim S. Smith 2022/04/14 2:42 pm

    On Debian repositories (at least with Debian “Buster” and so on),

    Seems “Mod Security” is being (or has been) replaced with “Mod Security2”. Though I suspect that the older directives used with it should still work, I am mindful of possible changes needed for some of the directives to work in the newer version?

    On another topic:

    I shortened a bit of htaccess firewall “wizardry” where it came to limiting which files can be accessed. Rather than a long list “no’s”, I chose to use a shorter list of “yes’s” instead.

    Something like:

    <IfModule>
    
    # - ALLOW ACCESS TO ONLY THESE FILE-TYPES. (Can be updated to add more supported types.)
    
      RewriteCond %{REQUEST_FILENAME} -f
      RewriteCond %{REQUEST_FILENAME} !\.(php|xml|(s?c|le)ss|js(onp?)?|gif|jpe?g?|png|svgz?|ico|avi|flv|mp(e?g|3|4)|mov|pdf|ps|asc|te?xt|eot|otf|tt(c|f)|woff2?)$ [NC]
    
      RewriteRule .* - [R=404,L]
    
    </IfModule>

    Makes it much simpler to control what file-types can be accessed, and what can added or removed from the filtering. – Possible change in your “next-generation” htaccess-firewall, perhaps?

    • Jeff Starr 2022/04/14 4:19 pm

      Yes I suspect they won’t overhaul and reinvent the wheel for ModSecurity 2. Wise to be mindful though, keep an eye on it.

      I like the idea of maybe adding some whitelist rules for 7G or maybe 8G. Thanks for the idea :)

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
BBQ Pro: The fastest firewall to protect your WordPress.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.