Disable mod_security rule for a specific application for a specific domain
Introduction
ModSecurity is a widely used web application firewall (WAF) that helps protect websites from common attacks such as SQL injection, cross-site scripting (XSS), and other vulnerabilities. It is commonly enabled in hosting environments managed through cPanel.
However, in some cases, ModSecurity rules may incorrectly block legitimate requests from a specific application, causing functionality issues. To resolve this, administrators can disable a particular ModSecurity rule for a specific domain without turning off the entire firewall, ensuring both security and application functionality are maintained.
Pre-requisites
Before disabling a ModSecurity rule for a specific application/domain, ensure the following:
- You should have sufficient privileges to manage ModSecurity settings.
- Determine the exact ModSecurity rule ID causing the issue (usually found in error logs).
- Check logs in cPanel (Metrics → Errors) or server logs like :
/usr/local/apache/logs/error_logor/var/log/apache2/error.log
IMPLEMENTATION
If you face any mod_security issue, don’t white list the whole domain from mod_security rules. But override the mod_security settings for the domain narrowly, so that override is allowed for only particular page and particular rule. Follow the steps below to trouble shoot mod_security issues.
1) Tail the apache error logs and find the error.
2) Every rule has an Id and URL causing the mod_security issue. So overriding them alone will solve the issue. Check the sample aoache logs below.
++++++++++++++++++++++++++++
[19:37] [Tue Sep 06 19:31:22 2011] [error] [client 203.197.151.138] ModSecurity: [file “/usr/local/apache/conf/modsec_rules/30_asl_antispam.conf”] [line “116”] [id “300023”] [rev “1”] [msg “Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)”] [data “[http://domainname.com] |- | ahx || mitch schwenk || |- | almico || alfredo milani ccrestron || […”] [severity “ERROR”] Access denied with code 403 (phase 2). Pattern match “(\\[ ?http://.*){4,}” at ARGS:wpTextbox1. [hostname “domainname.com”] [uri “/index.php”] [unique_id “TmZm@lUN67oAACO3LgMAAAAN”]
++++++++++++++++++++++++++++
Here ID is 300023 and the URL is index.php. The error is Mutiple embedded URL used.
3) To override this, create a new directoryÂ
mkdir -p /usr/local/apache/conf/userdata/std/2/username/domainname/
4) Create mod_security2.conf file. vi /usr/local/apache/conf/userdata/std/2/username/domainname/mod_security.conf
5) Paste the following contents in the file based on the data collected in step 2.
++++++++++
SecRuleRemoveById ruleId
++++++++++
We are overriding the settings by URL and ID match.
Eg:
++++++++++
SecRuleRemoveById 300023
++++++++++
6) Run the scriptÂ
 /scripts/ensure_vhost_includes –user=username.
7) check whether the file is included in httpd using the command below.
grep “std/2/username” conf/httpd.conf
8) Restart the apache.
Conclusion
Disabling a ModSecurity rule for a specific domain is an effective way to resolve false positives while keeping overall server security intact. Instead of disabling ModSecurity entirely, selectively turning off problematic rules ensures that your application runs smoothly without compromising protection.
Proper monitoring and testing after making changes are essential to maintain a secure and stable hosting environment.
Fantastic content I think you learn something new every day. Nice, informative site by the way.Thanks to sharing
Thank you for your comment!!!
We always welcome your comments to improve our blog. So, Please keep on visiting our blog and provide an suggestion to improve our blog.