• 5
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

How can I disable mod_security in .htaccess file?

How can we disable mod_security by using .htaccess file on Apache server?

I am using WordPress on my personal domain and posting a post which content has some code block and as per my hosting provider said mod_security gives an error and my IP has gone into firewall because of mod_security.

So I want to disable mod_security by using .htaccess file.

      • 2
    • First, this is not a programming issue (althought I thought it was and that's how I bumped into this page). Second, this is an old thread. Anyway, I hope everyone gains something out of this. I had a Mod_Security error as well but my host (bluehost) white-listed the page for me. I didn't have to turn off the mod myself.

It is possible to do this, but most likely your host implemented mod_security for a reason. Be sure they approve of you disabling it for your own site.

That said, this should do it;

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>
  • 45
Reply Report
      • 1
    • note that mod_security coud be compiled to prevent this switch off by .htaccess files. And the host could alos limit .htaccess authorizations via AllowOverride settings.
    • Very true. I imagine the best approach here would really be to contact the hosting provider and request that block (stanza?) be incorporated into the vhost instead. This way, you'll also be in the clear of any issues the host might have with you turning off mod_security in the first place. :)
      • 2
    • If you put it within a particular block, or in an .htaccess file, sure. Look up how file matching works in Apache.

On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but only in its entirety – you can't disable individual rules.

Rather than disabling it for your entire site, it's best to limit this to specific URLs. You can specify which URLs to match via the regex in the <If> statement below...

### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>
  • 7
Reply Report
    • This is the best solution, in my opinion. I was having issues with GravityForms and for the url I added wp-admin/admin.php?page=gf_edit_forms

Just to update this question for mod_security 2.7.0+ - they turned off the ability to mitigate modsec via htaccess unless you compile it with the --enable-htaccess-config flag. Most hosts do not use this compiler option since it allows too lax security. Instead, vhosts in httpd.conf are your go-to option for controlling modsec.

Even if you do compile modsec with htaccess mitigation, there are less directives available. SecRuleEngine can no longer be used there for example. Here is a list that is available to use by default in htaccess if allowed (keep in mind a host may further limit this list with AllowOverride):

    - SecAction
    - SecRule

    - SecRuleRemoveByMsg
    - SecRuleRemoveByTag
    - SecRuleRemoveById

    - SecRuleUpdateActionById
    - SecRuleUpdateTargetById
    - SecRuleUpdateTargetByTag
    - SecRuleUpdateTargetByMsg

More info on the official modsec wiki

As an additional note for 2.x users: the IfModule should now look for mod_security2.c instead of the older mod_security.c

  • 5
Reply Report

When the above solution doesn’t work try this:

<IfModule mod_security.c>
  SecRuleEngine Off
  SecFilterInheritance Off
  SecFilterEngine Off
  SecFilterScanPOST Off
  SecRuleRemoveById 300015 3000016 3000017
</IfModule>
  • 2
Reply Report
      • 1
    • Why is your answer better than the other answer? All I can see is the value in SecRuleEngine Off as well as SecFilterInheritance Off but you provide no explanation of how SecRuleRemoveById works? I understand the concept: Individual rules like the numbers you list can selectively be turned off via that directive. But why are you specifically using 300015, 3000016and 3000017 in your post?
    • The numbers are specific ModSec rules. Seems safer to disable rules case by case, instead of turning off the whole thing. However, this answer also turns off the whole thing, in which case turning off certain rules makes no sense.

In .htaccess file at site root directory edit following line:

<ifmodule mod_security.c>

SecFilterEngine Off
SecFilterScanPOST Off

</ifmodule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
  • 2
Reply Report

With some web hosts including NameCheap, it's not possible to disable ModSecurity using .htaccess. The only option is to contact tech support and ask them to alter the configuration for you.

  • 2
Reply Report
    • Simon East, Unfortunately my Answer is the ONLY option with "namecheap" hosting. Not a comment. You have no other option but to ask tech support to enable this option for you. This is FACT not opinion, not comment. I use name cheap. Also note, I do not have a reputation of 50 or greater at this time, so my Answer is impossible to add as a comment.
    • Ok, I see that it won't let you comment. I suppose that saying "This will not help you" sounds confusing in an answer though as we're not sure what the "This" is referring to - are you referring to the original question or another user's answer? Perhaps you mean that .htaccess will not be of any help on NameCheap, is that right?
      • 2
    • By "this" I mean all answers, all code, all attempts by any means, all of them... will not work. Not until after support is contacted and the OP requests (and receives) enabled access to any type of mod_security functionality. The OP is asking how to do something that cannot be done if they are hosted on namecheap. My answer is therefore a valid answer, informing the OP and anyone else googling this issue, that namecheap hosting itself will require them to request permission to do this. I hope to save people time and frustration thinking their code isn't working, when it is blocked.
    • Legit answer. Usually i dislike "you can't" answers, because it usually means "i don't know." But in this case, "you can't" is correct. (i'm on namecheap too-- great host, so far).

For anyone that simply are looking to bypass the ERROR page to display the content on shared hosting. You might wanna try and use redirect in .htaccess file. If it is say 406 error, on UnoEuro it didn't seem to work simply deactivating the security. So I used this instead:

ErrorDocument 406 /

Then you can always change the error status using PHP. But be aware that in my case doing so means I am opening a door to SQL injections as I am bypassing WAF. So you will need to make sure that you either have your own security measures or enable the security again asap.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags

Related Questions