ModSecurity (ModSec) is a web application firewall (WAF) designed to protect websites from malicious traffic. While it improves security, overly strict ModSecurity rules can sometimes block legitimate requests, leading to website functionality issues, especially after migrating a site to a new hosting provider or server environment.
This article explains how to identify and fix ModSecurity-related issues without fully disabling the firewall.
Common Symptoms of ModSecurity Issues
When ModSecurity blocks valid requests, you may experience:
- Inability to submit forms or save content.
- Failed file or media uploads.
- 403 Forbidden or 500 Internal Server Error messages.
- AJAX requests are failing silently.
- Posting or replying features are not working in web applications.
- Errors occur only after migrating to a new server.
These issues are commonly caused by false positives, where ModSecurity rules incorrectly flag legitimate requests as threats.
Why ModSecurity Causes These Issues?
ModSecurity works by matching requests against predefined security rules. Problems may occur due to:
- Changes in server software or ModSecurity rule sets.
- Differences between hosting environments.
- Applications using AJAX, POST requests, or encoded input.
- Strict rules triggered by application-specific scripts.
Instead of disabling ModSecurity entirely, the recommended approach is to exclude only the problematic rules for affected URLs or scripts.
How to Fix ModSecurity Issues (Recommended Method)
- Identify the Blocked Rule IDs:
Check the Apache error log or ModSecurity audit log to find the rule IDs being triggered. These logs typically show entries like:Access denied with code 403 (phase 2). Pattern match ... [id "300013"]
Note down the rule IDs causing the issue.
- Create or Edit a ModSecurity Whitelist File
Locate the ModSecurity exclusion configuration file. Common paths include:/usr/local/apache/conf/modsec2/exclude.conf
or
/usr/local/apache/conf/modsec2.user.conf
If the file does not exist, create it.
- Exclude Specific Rules for Affected URLs
Use <LocationMatch> to disable only the problematic rules for specific scripts or paths.
Example:<LocationMatch "/path-to-affected-script.php"> SecRuleRemoveById 300013 300015 300016 300017 </LocationMatch>
- Replace the path and rule IDs based on your logs.
- Avoid removing rules globally unless necessary.
This ensures ModSecurity remains active for the rest of the website.
- Include the Whitelist File in the Main ModSecurity Configuration
Open the main ModSecurity configuration file:/usr/local/apache/conf/modsec2.conf
Add or verify that the following line exists:
Include "/usr/local/apache/conf/modsec2.user.conf"
- Restart Apache
Apply the changes by restarting Apache:service httpd restart
or
systemctl restart httpd
If you continue experiencing issues or are unsure which rules to disable, our support specialists can assist you with safely configuring ModSecurity for your website.