How can I disable mod security in htaccess file

Question

How can we disable mod security by using  htaccess file on Apache server   I am using WordPress on my personal domain and posting a post which content has some code block and as per my hosting provider said mod security gives an error and my IP has gone into firewall because of mod security   So I want to disable mod security by using  htaccess file

User · Answer

On some servers and web hosts  it s possible to disable ModSecurity via  htaccess  but be aware that you can only switch it on or off  you can t disable individual rules  But a good practice that still keeps your site secure is to disable it only on specific URLs  rather than your entire site  You can specify which URLs to match via the regex in the  lt If gt  statement below        DISABLE mod security firewall     Some rules are currently too strict and are blocking legitimate users     We only disable it for URLs that contain the regex below     The regex below should be placed between  quot m  quot  and  quot   quot        this syntax is required when the string contains forward slashes   lt IfModule mod security c gt     lt If  quot   REQUEST URI     m  admin   quot  gt      SecFilterEngine Off     SecFilterScanPOST Off    lt  If gt   lt  IfModule gt

User · Answer

It is possible to do this  but most likely your host implemented mod security for a reason  Be sure they approve of you disabling it for your own site   That said  this should do it    lt IfModule mod security c gt    SecFilterEngine Off   SecFilterScanPOST Off  lt  IfModule gt

User · Answer

With some web hosts including NameCheap  it s not possible to disable ModSecurity using  htaccess  The only option is to contact tech support and ask them to alter the configuration for you

User · Answer

When the above solution doesn   t work try this    lt IfModule mod security c gt    SecRuleEngine Off   SecFilterInheritance Off   SecFilterEngine Off   SecFilterScanPOST Off   SecRuleRemoveById 300015 3000016 3000017  lt  IfModule gt

User · Answer

Just to update this question for mod security 2 7 0  - they turned off the ability to mitigate modsec via htaccess unless you compile it with the --enable-htaccess-config flag  Most hosts do not use this compiler option since it allows too lax security  Instead  vhosts in httpd conf are your go-to option for controlling modsec  Even if you do compile modsec with htaccess mitigation  there are less directives available  SecRuleEngine can no longer be used there for example  Here is a list that is available to use by default in htaccess if allowed  keep in mind a host may further limit this list with AllowOverride       - SecAction     - SecRule      - SecRuleRemoveByMsg     - SecRuleRemoveByTag     - SecRuleRemoveById      - SecRuleUpdateActionById     - SecRuleUpdateTargetById     - SecRuleUpdateTargetByTag     - SecRuleUpdateTargetByMsg  More info on the official modsec wiki As an additional note for 2 x users  the IfModule should now look for mod security2 c instead of the older mod security c

User · Answer

For anyone that simply are looking to bypass the ERROR page to display the content on shared hosting  You might wanna try and use redirect in  htaccess file  If it is say 406 error  on UnoEuro it didn t seem to work simply deactivating the security  So I used this instead   ErrorDocument 406     Then you can always change the error status using PHP  But be aware that in my case doing so means I am opening a door to SQL injections as I am bypassing WAF  So you will need to make sure that you either have your own security measures or enable the security again asap

User · Answer

In  htaccess file at site root directory edit following line    x000D   x000D   lt ifmodule mod security c gt  x000D   x000D  SecFilterEngine Off x000D  SecFilterScanPOST Off x000D   x000D   lt  ifmodule gt  x000D   x000D   lt IfModule mod rewrite c gt  x000D  RewriteEngine On x000D  RewriteBase   x000D  RewriteCond   REQUEST FILENAME   -f x000D  RewriteCond   REQUEST FILENAME   -d x000D  RewriteRule    index php  L  x000D   lt  IfModule gt  x000D   x000D   x000D    Just keep the  mod security rules like SecFilterEngine  and  parts apart from each other  Its works for apache server

[php] How can I disable mod_security in .htaccess file?

Examples related to php

Examples related to apache

Examples related to .htaccess