How to turn off/on ModSecurity firewall rules on your account
ModSecurity is an open-source Web Application Firewall (WAF) that helps protect your website from malicious traffic and common attacks such as SQL injection and cross-site scripting (XSS). It works by inspecting HTTP requests and applying security rules to block suspicious activity.
When should you turn ModSecurity on or off?
- Keep it ON (recommended): Enable ModSecurity to protect your site against a wide range of known threats.
- Temporarily turn it OFF: In rare cases, a strict rule may block a legitimate request (a “false positive”), causing features to break or forms to fail. You can temporarily disable ModSecurity or adjust specific rules to confirm and resolve the issue.
Warning: Disabling ModSecurity reduces your site’s protection. If you turn it off, do so only as a temporary test and re-enable it as soon as possible.
Turn ModSecurity ON/OFF in cPanel
- Log in to your cPanel account.
- In the Security section, click ModSecurity.
- Locate the domain you want to manage. In the Status column:
- Click Off to disable ModSecurity for that domain.
- Click On to re-enable it.
Tip: If a specific action is being blocked, note any error message or rule ID shown in your app/error logs. Re-enable ModSecurity, then ask us to review or relax just that rule for your domain so you stay protected without breaking functionality. Contact WHC support.
Best practice: Only disable ModSecurity briefly to test, document your findings (time, URL, what was blocked, any rule IDs), and turn it back On once the issue is resolved.
