How can I disable mod_security in .htaccess file?

Question

How can we disable mod_security by using .htaccess file on Apache server?

I am using WordPress on my personal domain and posting a post which content has some code block and as per my hosting provider said mod_security gives an error and my IP has gone into firewall because of mod_security.

So I want to disable mod_security by using .htaccess file.

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) — jww, Oct 30 '16 at 14:40
First, this is not a programming issue (althought I thought it was and that's how I bumped into this page). Second, this is an old thread. Anyway, I hope everyone gains something out of this. I had a Mod_Security error as well but my host (bluehost) **white-listed** the page for me. I didn't have to turn off the mod myself. — itsols, Nov 30 '16 at 03:19

score 57 · Accepted Answer · edited Oct 20 '14 at 01:22

57

It is possible to do this, but most likely your host implemented mod_security for a reason. Be sure they approve of you disabling it for your own site.

That said, this should do it;

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

edited Oct 20 '14 at 01:22

Giacomo1968

25,759
11
71
103

answered Oct 17 '12 at 06:29

Xyon

901
9
18

12

note that mod_security coud be compiled to prevent this switch off by .htaccess files. And the host could alos limit .htaccess authorizations via AllowOverride settings. – regilero Oct 17 '12 at 11:47
Very true. I imagine the best approach here would really be to contact the hosting provider and request that block (stanza?) be incorporated into the vhost instead. This way, you'll also be in the clear of any issues the host might have with you turning off mod_security in the first place. :) – Xyon Oct 17 '12 at 12:15
Is it possible to disable it only for certain URLs/files? – Simon East May 28 '14 at 10:41
If you put it within a particular block, or in an .htaccess file, sure. Look up how file matching works in Apache. – Xyon Jul 31 '14 at 13:07

Simon East · Answer 2 · 2021-02-27T04:57:36.507

14

On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but be aware that you can only switch it on or off, you can't disable individual rules.

But a good practice that still keeps your site secure is to disable it only on specific URLs, rather than your entire site. You can specify which URLs to match via the regex in the <If> statement below...

### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>

edited Feb 27 '21 at 04:57

answered Sep 01 '16 at 02:30

Simon East

55,742
17
139
133

2

This is the best solution, in my opinion. I was having issues with GravityForms and for the url I added `wp-admin/admin.php?page=gf_edit_forms` – Ciprian Tepes Aug 21 '17 at 19:15
I couldn't make this work and found another way of doing it at Server Fault: [How to disable mod_security2 rule (false positive) for one domain on centos 5](https://serverfault.com/a/213214/128311) – brasofilo Feb 26 '21 at 19:40

score 6 · Answer 3 · edited Oct 20 '14 at 01:21

6

When the above solution doesn’t work try this:

<IfModule mod_security.c>
  SecRuleEngine Off
  SecFilterInheritance Off
  SecFilterEngine Off
  SecFilterScanPOST Off
  SecRuleRemoveById 300015 3000016 3000017
</IfModule>

edited Oct 20 '14 at 01:21

Giacomo1968

25,759
11
71
103

answered Aug 09 '13 at 16:43

manuel-84

2,582
1
23
23

4

Why is your answer better than the other answer? All I can see is the value in `SecRuleEngine Off` as well as `SecFilterInheritance Off` but you provide no explanation of how `SecRuleRemoveById` works? I understand the concept: Individual rules like the numbers you list can selectively be turned off via that directive. But why are you specifically using `300015`, `3000016`and `3000017` in your post? – Giacomo1968 Oct 20 '14 at 01:21
3

Yes, what do those numbers represent? – Simon East Feb 09 '15 at 22:23
2

Still curious about what these numbers mean...? – nullwriter Jun 23 '15 at 01:53
The numbers are specific ModSec rules. Seems safer to disable rules case by case, instead of turning off the whole thing. However, this answer also turns off the whole thing, in which case turning off certain rules makes no sense. – johny why Apr 12 '18 at 05:45
using just the `SecRuleRemoveById 300015` line worked for me – Eternal Nov 18 '22 at 16:11

score 5 · Answer 4 · edited Jun 20 '20 at 09:12

Just to update this question for mod_security 2.7.0+ - they turned off the ability to mitigate modsec via htaccess unless you compile it with the --enable-htaccess-config flag. Most hosts do not use this compiler option since it allows too lax security. Instead, vhosts in httpd.conf are your go-to option for controlling modsec.

Even if you do compile modsec with htaccess mitigation, there are less directives available. SecRuleEngine can no longer be used there for example. Here is a list that is available to use by default in htaccess if allowed (keep in mind a host may further limit this list with AllowOverride):

    - SecAction
    - SecRule

    - SecRuleRemoveByMsg
    - SecRuleRemoveByTag
    - SecRuleRemoveById

    - SecRuleUpdateActionById
    - SecRuleUpdateTargetById
    - SecRuleUpdateTargetByTag
    - SecRuleUpdateTargetByMsg

More info on the official modsec wiki

As an additional note for 2.x users: the IfModule should now look for mod_security2.c instead of the older mod_security.c

score 5 · Answer 5 · edited Sep 07 '17 at 04:09

5

With some web hosts including NameCheap, it's not possible to disable ModSecurity using .htaccess. The only option is to contact tech support and ask them to alter the configuration for you.

edited Sep 07 '17 at 04:09

Simon East

55,742
17
139
133

answered Mar 11 '15 at 17:21

Alex

85
1
4

1

This sounds like it should be a "comment" regarding one of the answers, not an answer in itself. – Simon East Sep 01 '16 at 02:31
3

Simon East, Unfortunately my Answer is the ONLY option with "namecheap" hosting. Not a comment. You have no other option but to ask tech support to enable this option for you. This is FACT not opinion, not comment. I use name cheap. Also note, I do not have a reputation of 50 or greater at this time, so my Answer is impossible to add as a comment. – Alex Sep 05 '17 at 04:13
Ok, I see that it won't let you comment. I suppose that saying "This will not help you" sounds confusing in an answer though as we're not sure what the "This" is referring to - are you referring to the original question or another user's answer? Perhaps you mean that .htaccess will not be of any help on NameCheap, is that right? – Simon East Sep 06 '17 at 02:00
2

By "this" I mean all answers, all code, all attempts by any means, all of them... will not work. Not until after support is contacted and the OP requests (and receives) enabled access to any type of mod_security functionality. The OP is asking how to do something that cannot be done if they are hosted on namecheap. My answer is therefore a valid answer, informing the OP and anyone else googling this issue, that namecheap hosting itself will require them to request permission to do this. I hope to save people time and frustration thinking their code isn't working, when it is blocked. – Alex Sep 07 '17 at 02:27
Legit answer. Usually i dislike "you can't" answers, because it usually means "i don't know." But in this case, "you can't" is correct. (i'm on namecheap too-- great host, so far). – johny why Apr 12 '18 at 05:48

score 4 · Answer 6 · answered Apr 30 '15 at 06:40

In .htaccess file at site root directory edit following line:

<ifmodule mod_security.c>

SecFilterEngine Off
SecFilterScanPOST Off

</ifmodule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Just keep the mod_security rules like SecFilterEngine and parts apart from each other. Its works for apache server

score 0 · Answer 7 · answered Jul 30 '19 at 15:12

For anyone that simply are looking to bypass the ERROR page to display the content on shared hosting. You might wanna try and use redirect in .htaccess file. If it is say 406 error, on UnoEuro it didn't seem to work simply deactivating the security. So I used this instead:

ErrorDocument 406 /

Then you can always change the error status using PHP. But be aware that in my case doing so means I am opening a door to SQL injections as I am bypassing WAF. So you will need to make sure that you either have your own security measures or enable the security again asap.

How can I disable mod_security in .htaccess file?

7 Answers7

Linked