Understanding the ModSecurity Web Application Firewall
ModSecurity is a web application firewall (WAF) that monitors and filters HTTP traffic to your website. It helps protect against common attacks such as SQL injection, cross-site scripting (XSS), remote file inclusion, and other OWASP Top 10 threats. Most DirectAdmin servers have ModSecurity installed and enabled by default.
Checking ModSecurity Status
- Log in to DirectAdmin and navigate to Advanced Features → ModSecurity (if available at the user level).
- If ModSecurity settings are not visible, it may be managed at the server administrator level. Contact your hosting provider to confirm it is active.
How ModSecurity Works
ModSecurity uses rulesets to detect malicious requests. The most common ruleset is the OWASP Core Rule Set (CRS), which provides protection against:
- SQL Injection: Attempts to manipulate database queries through user input.
- Cross-Site Scripting (XSS): Injecting malicious scripts into web pages.
- Remote File Inclusion: Loading unauthorized external files.
- Command Injection: Executing system commands through web forms.
- Directory Traversal: Attempting to access files outside the web root.
Dealing with False Positives
Sometimes ModSecurity blocks legitimate requests. This is called a false positive. Symptoms include:
- Receiving a 403 Forbidden error when submitting forms or uploading content.
- Admin panel actions (such as saving posts in WordPress) being blocked.
- API calls returning unexpected errors.
To identify the rule causing the block, check your domain's error log in Account Manager → Error Log. Look for entries containing ModSecurity and note the rule ID number.
Disabling Specific Rules
If you identify a false positive, you can request your hosting provider disable the specific rule for your domain. Provide them with the rule ID from the error log. Alternatively, if you have access, add the following to your .htaccess:
<IfModule mod_security2.c>
SecRuleRemoveById 949110
SecRuleRemoveById 941100
</IfModule>