InMotion Hosting Support Center

In this article I'll show you how you can disable ModSecurity for a domain on your VPS (Virtual Private Server) or dedicated server. ModSecurity is used to block certain types of web requests that can help prevent you from possible attacks. However certain times a legitmate request could be getting blocked by ModSecurity, so knowing how to disable it is good knowledge.

If you're on a shared server and experiencing problem with 406 errors caused by ModSecurity you can follow my guide on how to disable ModSecurity via cPanel Modsec Manager.

In order to follow along with this guide, you'll need to have root access to your VPS or dedicated server so that you can create the required ModSecurity file on the server, and modify the Apache configuration file.

Enable ModSecurity include in httpd.conf

Following the steps below I'll walk you through how to modify your Apache httpd.conf configuration file so that you can include a ModSecurity rules file for the domain you'd like to disable ModSecurity for.

  1. Login to your server via SSH as the root user.
  2. Make a backup of your Apache configuration with the following command:

    cp -frp /usr/local/apache/conf/httpd.conf{,-BAK}

  3. Edit your Apache httpd.conf file with the vim editor with this command:

    vim /usr/local/apache/conf/httpd.conf

  4. Once in vim you can type in a forward slash / to enter search mode, you can then enter in the name of the domain you'd like to disable ModSecurity for and hit Enter to be dropped to that line.

    You should be at a <VirtualHost entry that looks something like this:

    DocumentRoot /home/userna5/public_html
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/ combined
    CustomLog /usr/local/apache/domlogs/ "%{%s}t %I .\n%{%s}t %O ."
    ## User userna5 # Needed for Cpanel::ApacheConf
    <IfModule mod_suphp.c>
    suPHP_UserGroup userna5 userna5
    <IfModule !mod_disable_suexec.c>
    <IfModule !mod_ruid2.c>
    SuexecUserGroup userna5 userna5
    <IfModule mod_ruid2.c>
    RUidGid userna5 userna5
    ScriptAlias /cgi-bin/ /home/userna5/public_html/cgi-bin/

    # To customize this VirtualHost use an include file at the following location
    # Include "/usr/local/apache/conf/userdata/std/2/userna5/*.conf"


    You'll want to un-comment the Include line by removing the pound # symbol from the beginning of the line at the bottom. You can do this by navigating with the arrow keys till your cursor is over the # symbol, then just hit Delete on your keyboard:

    # Include "/usr/local/apache/conf/userdata/std/2/userna5/*.conf"

    So it should end up looking like this:

    Include "/usr/local/apache/conf/userdata/std/2/userna5/*.conf"

    Now to save the file, simply hold down Shift and hit ZZ on the keyboard, you should get this confirmation:

    "/usr/local/apache/conf/httpd.conf" 785L, 30554C written

  5. Finally run the cPanel Apache configuration distiller, to ensure your includes remain after future cPanel updates:

    /usr/local/cpanel/bin/apache_conf_distiller --update

    After running that you should get back:

    info [apache_conf_distiller] 'local' datastore in use (/var/cpanel/conf/apache/local)
    Distilled successfully

Create ModSecurity configuration file

Now that you've setup Apache to include a ModSecurity configuration file, you'll next want to create the appropriate directory and file that it's trying to load. Following the steps below I'll show you how to accomplish this.

  1. Run the following command to create the directory where we'll be placing our ModSecurity configuration file:

    mkdir -p /usr/local/apache/conf/userdata/std/2/userna5/

  2. Next use the following rule to create a ModSecurity configuration file with the SecRuleEngine option set to Off which disables ModSecurity completely for the domain:

    echo "SecRuleEngine Off" > /usr/local/apache/conf/userdata/std/2/userna5/

  3. Finally to make the new ModSecurity configuration file active, you need to restart the Apache service gracefully with the following command:

    service httpd graceful

    Now that Apache has been gracefully restarted the new ModSecurity configuration settings should be getting loaded, and in this case ModSecurity is completely disabled for our domain now.

You should now understand how to completely disable ModSecurity for a domain on your VPS or dedicated server. If you wanted to leave ModSecurity enabled, but only wanted to disable certain ModSecurity rules that are getting triggered, then you can read my guide on how to find and disable specific ModSecurity rules.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!