Introduction

ModSecurity is an Apache web application firewall (WAF) module that helps protect websites from common attacks such as SQL injection, cross-site scripting (XSS), and malicious POST requests. While it provides an additional layer of security, certain applications or websites may generate false positives, resulting in errors such as 406 Not Acceptable.

In such cases, ModSecurity can be temporarily disabled either through the .htaccess file or by creating a custom Apache configuration for a specific domain.

Prerequisites

Before proceeding, ensure the following:

• Root or sudo access to the server
• WHM/cPanel server with Apache installed
• ModSecurity module enabled on the server
• Basic knowledge of Linux command line operations
• Backup of existing Apache configuration files
• Ensure disabling ModSecurity is necessary, as it reduces website protection

Method 1: Disable ModSecurity Using .htaccess

This method disables ModSecurity for a specific website using the site’s .htaccess file.

Step 1: Open the .htaccess File

Navigate to the website document root and edit the .htaccess file.

Example:

cd /home/USERNAME/public_html
vi .htaccess

Step 2: Add the Following Lines

Insert the following directives into the .htaccess file:

SecFilterEngine Off
SecFilterScanPOST Off

Step 3: Save the File

Save the changes and exit the editor.

Step 4: Test the Website

Access the website and verify whether the issue has been resolved.

Note: In newer ModSecurity versions, these directives may not work because they are deprecated.

Method 2: Disable ModSecurity for a Specific Domain Using Apache Configuration

If the .htaccess method does not work, create a custom Apache configuration for the domain.

Step 1: Verify Apache Include Paths

Check the Apache configuration includes:

Include "/usr/local/apache/conf/userdata/*.conf"
Include "/usr/local/apache/conf/userdata/*.owner-root"
Include "/usr/local/apache/conf/userdata/std/*.conf"
Include "/usr/local/apache/conf/userdata/std/*.owner-root"
Include "/usr/local/apache/conf/userdata/std/2/*.conf"
Include "/usr/local/apache/conf/userdata/std/2/*.owner-root"

These paths allow custom domain-specific Apache configurations.

Step 2: Navigate to the Userdata Directory

cd /usr/local/apache/conf/userdata/std/2/

Step 3: Create User and Domain Directories

Example:

• Domain: google.com
• cPanel Username: goog

Create the directories:

mkdir goog
cd goog
mkdir google.com
cd google.com

Step 4: Create the ModSecurity Configuration File

touch mod_security2.conf
vi mod_security2.conf

Add the following line:

SecRuleEngine Off

Save and exit the file.

Step 5: Rebuild Apache Configuration

Run the following command:

/scripts/ensure_vhost_includes --all-users

Step 6: Restart Apache

/etc/init.d/httpd restart

Or on newer systems:

systemctl restart httpd

Verification

After restarting Apache:

• Open the website in a browser
• Verify the previous ModSecurity-related errors are resolved
• Review Apache logs if needed:

tail -f /usr/local/apache/logs/error_log

Conclusion

Disabling ModSecurity for a specific user or domain can help resolve issues caused by false-positive security rules. Using a domain-specific Apache configuration is the preferred method because it avoids disabling protection server-wide. However, ModSecurity should only be disabled when necessary, and alternative rule exclusions should be considered whenever possible to maintain server security.