Excluding ModSecurity Rules in cPanel (WAF)

Introduction

ModSecurity is a web application firewall (WAF) integrated with cPanel servers to protect websites from common attacks. It uses a set of rules (often from vendors like OWASP) to inspect incoming requests. Occasionally, these rules trigger false positives, blocking legitimate actions like form submissions, file uploads, or plugin functionality in applications (e.g., WordPress).

As a standard cPanel user, you can only enable or disable ModSecurity entirely for your domains. You cannot exclude or disable specific individual rules through the cPanel interface—this requires server administrator (WHM/root) access or a third-party plugin.

This guide explains what you can do as a user and how to proceed if you need to exclude a specific rule.

Prerequisites

  • Access to your cPanel account.
  • Identification of the issue (e.g., 403/406 errors with "ModSecurity" mentioned).
  • ModSecurity must be enabled on the server (most hosts enable it by default).

Step 1: Log In to cPanel

  1. Open your browser and go to your cPanel login URL (usually https://yourdomain.com/cpanel or provided by your host).
  2. Enter your username and password.

Step 2: Access the ModSecurity Interface

  1. In the cPanel dashboard, scroll to the Security section.
  2. Click ModSecurity.

This opens a page listing all your domains with their ModSecurity status (usually "Enabled" by default).

Step 3: Temporarily Disable ModSecurity for a Domain (User-Level Option)

If a specific rule is causing issues:

  1. Find the affected domain in the list.
  2. Toggle the switch to Off for that domain (or click Disable if buttons are used).
  3. For all domains: Use the Enable or Disable buttons at the top if available.

Important Notes:

  • Disabling ModSecurity removes all rule protection for the domain—only do this temporarily to test if ModSecurity is the cause.
  • Re-enable it immediately after troubleshooting to restore security.
  • Changes take effect quickly, but you may need to clear browser cache or test in incognito mode.

This is the only ModSecurity control available to standard cPanel users.

Identifying the Problematic Rule

To confirm ModSecurity is blocking and find the Rule ID:

  • Perform the action that triggers the error (e.g., submit a form).
  • Check your website's error logs via cPanel > Metrics > Errors, or ask your host for Apache/ModSecurity logs.
  • Look for entries like [id "941100"] or "ModSecurity: Access denied with code 403".
  • Common false positive rules: 941100/941160 (XSS), 930100 (path traversal), etc.

Excluding Specific Rules (Requires Hosting Provider Assistance)

Standard cPanel users cannot disable individual rules. This must be done by your hosting provider's administrator in WHM:

  • They can disable rules globally or per-account/domain via WHM > Security Center > ModSecurity Tools.
  • Some hosts install plugins like ConfigServer ModSecurity Control (CMC), which allows per-domain or per-user rule exclusions (whitelisting Rule IDs).
  • Alternatives: Custom Apache includes or .htaccess tweaks (limited effectiveness).

Recommended Action:

  1. Contact your hosting support.
  2. Provide:
    • The exact error message.
    • The Rule ID(s) from logs.
    • The affected URL/action.
    • Request to "exclude" or "whitelist" the specific Rule ID for your domain/account only.
  3. Ask if they have a user-facing tool or plugin for rule exclusions.

Troubleshooting

  • ModSecurity Icon Missing? Your host may have disabled the feature—contact support.
  • Issues Persist After Disabling? The block may not be from ModSecurity (e.g., other firewalls like Cloudflare, Imunify360, or server configs).
  • No Logs Visible? Users often can't see full ModSecurity hit logs—request them from support.
  • Security Warning: Avoid leaving ModSecurity disabled long-term, as it exposes your site to risks.

Best Practices

  • Only disable when necessary and re-enable promptly.
  • Test changes thoroughly.
  • Consider alternatives like adjusting your application (e.g., update plugins) to avoid triggering rules.
  • Report persistent false positives to your host—they can tune rules server-wide.

This guide reflects standard cPanel behavior as of late 2025. Interfaces may vary slightly by host or cPanel version. If your setup includes additional tools (e.g., a custom ModSecurity manager), refer to your provider's documentation. Always prioritize security!

這篇文章有幫助嗎? 0 Users Found This Useful (0 Votes)

熱門文章

Change Redirect to HTTPS turned off on Wordpress tool

If you find unable change the "Redirect to HTTPS turned off" on Domain function. You can go to...
How to Create a phpinfo Page to View Your PHP Settings

We’ll show you how to create a phpinfo page to view the current PHP settings for your hosting...
How to Change PHP Version in cPanel

The latest versions of cPanel make it easy to choose what PHP version your site is using. We...
How to Use Softaculous on cPanel

Introduction Softaculous is an auto-installer tool integrated into various control panels,...
How to Use Softaculous on DirectAdmin