Technical guide for Hovixa users on managing ModSecurity. Learn how to identify WAF blocks and safely disable specific rules to resolve false positives without compromising server security.

ModSecurity for Clients: Disabling Specific Rules for False Positives

ModSecurity is an open-source Web Application Firewall (WAF) that Hovixa uses to provide real-time monitoring and access control. It identifies and blocks malicious activity like SQL injection (SQLi) and Cross-Site Scripting (XSS). However, highly complex application requests—such as those from certain WordPress plugins or custom API calls—can occasionally trigger a "false positive," resulting in a 403 Forbidden error.

1. Identifying a ModSecurity Block

Before disabling security features, you must confirm that ModSecurity is the actual cause of the issue. A ModSecurity block typically manifests as:

• A generic 403 Forbidden error page when saving a post or submitting a form.
• An entry in your site’s error_log file or the cPanel Errors log indicating a "ModSecurity: Access denied" event.

2. Disabling ModSecurity per Domain

If a specific domain is completely incompatible with the default rule set, you can toggle the firewall off entirely for that host. This is discouraged as it removes a critical layer of defense.

1. Log in to cpanel.hovixa.com.
2. Navigate to the Security section and click ModSecurity.
3. Locate the domain in the list.
4. Click Off next to the domain name.

3. Disabling Specific Rules (Analytical Approach)

The correct method for maintaining security while resolving a false positive is to identify the specific Rule ID that is being triggered and disable only that rule. This ensures the rest of the WAF protection remains active.

Step A: Find the Rule ID

1. Navigate to the Metrics section in cPanel and click Errors.
2. Look for a log entry containing [id "123456"]. The number inside the quotes is the Rule ID.
3. Note the reason provided (e.g., Inbound Anomaly Score Exceeded).

Step B: Whitelisting the Rule via .htaccess

On Hovixa servers, you can use .htaccess directives to disable a specific rule for a directory. Replace 123456 with the ID found in your error logs.

<IfModule mod_security2.c>
  SecRuleRemoveById 123456
</IfModule>
    

4. Best Practices and Edge Cases

• Whitelist, Don't Disable: Only disable a rule if you are 100% certain the request being blocked is legitimate. If you are unsure, contact Hovixa Support for a log analysis.
• Temporary Testing: Use the global "Off" switch only to verify if ModSecurity is the culprit. Once confirmed, turn it back on and apply the SecRuleRemoveById method instead.
• IP Whitelisting: If your office or development IP is constantly being blocked while performing administrative tasks, it is better to ask Support to whitelist your IP in the firewall (CSF) rather than disabling ModSecurity rules.

Security Warning: Disabling core rules like those protecting against SQL Injection or Local File Inclusion (LFI) significantly increases the risk of your site being compromised. Always update your application plugins and core files before opting to disable security rules.