Title: Mod_Security
Last modified: August 18, 2016

---

# Mod_Security

 *  [mynetweblogs](https://wordpress.org/support/users/mynetweblogs/)
 * (@mynetweblogs)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/)
 * I have read that mod_security causes some issues with WordPress installations.
   Is it worth the workarounds to have mod_security installed?

Viewing 9 replies - 1 through 9 (of 9 total)

 *  [Chris_K](https://wordpress.org/support/users/handysolo/)
 * (@handysolo)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488251)
 * There are way too many variables to be able to answer that question. I dunno 
   that any two hosts configure mod_security the same way. It would seem, to me,
   that in 95% (more?) cases it causes no issues at all.
 *  Thread Starter [mynetweblogs](https://wordpress.org/support/users/mynetweblogs/)
 * (@mynetweblogs)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488252)
 * Well for me, when I try to install a new blog, I get a server error.
 *  Thread Starter [mynetweblogs](https://wordpress.org/support/users/mynetweblogs/)
 * (@mynetweblogs)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488254)
 * What settings would cause issues?
 *  [vkaryl](https://wordpress.org/support/users/vkaryl/)
 * (@vkaryl)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488256)
 * Hard to say, since most hosts won’t tell you what their ruleset includes.
 *  Thread Starter [mynetweblogs](https://wordpress.org/support/users/mynetweblogs/)
 * (@mynetweblogs)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488258)
 * Would mod_dosevasive cause issues, or is it probably the mod_security causing
   a problem?
 *  [vkaryl](https://wordpress.org/support/users/vkaryl/)
 * (@vkaryl)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488260)
 * I don’t have a clue – never heard of mod_dosevasive for one thing. For another,
   the host I left because of mod_sec problems never would tell me what they changed.
 *  [Chris_K](https://wordpress.org/support/users/handysolo/)
 * (@handysolo)
 * [19 years, 6 months ago](https://wordpress.org/support/topic/mod_security/#post-488264)
 * This thread take a while to get going, but ends with some .htaccess “tricks” 
   to mitigate issues caused by an overly strict mod_security configuration.
 * [http://wordpress.org/support/topic/75361?replies=69](http://wordpress.org/support/topic/75361?replies=69)
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [19 years, 5 months ago](https://wordpress.org/support/topic/mod_security/#post-488318)
 * _I have read that mod\_security causes some issues with WordPress installations.
   Is it worth the workarounds to have mod\_security installed?_
 * Ive been waiting for 10 hours to respond to this thread —
 * What specifically have you read regarding mod_security affecting installs? And
   where?
 * Thats the best place to start before answering too many questions.
 * Since we dont know what youve read, or where, its hard to tell you if its worth
   it. What you read might be accidently inaccurate, or purposefully false.
 * I can say with some assuredness that mod_security is mistakenly blamed for quite
   a few things on these forums, and ought not to be.
 * In other words, _generally_ uneducated people speak up without doing their homework
   first, (as happens everywhere, I fairly need to to add).
 * —
 * Now again, This, therefore, is a general reply to your question.
 * mod_security is worth ANY troubles, and the primary reason why I say is that 
   its flexible, can be “turned off” if any different number of ways, and prevents
   a whole shedload of malicious things from happening.
 * Need to turn it off, adjust, etc..:
 * Add:
 * `SecFilterEngine Off`
 * to any .htaccess.
 * You obviously already know that .htaccess bits are inherited, so I dont need 
   to explain that you could protect one directory but not another.
 * Just want to protect certain files:
 * Or ..
 * if you just want to have certain files do this, heres a good example:
 * `SecFilterEngine On
    SecFilterSelective "REQUEST_URI" "/wp-admin/edit.php" "allow,
   nolog"
 * Or lets say you want to have an override for a word already listed in your modsecurity.
   conf:
 * `SecFilterEngine On
    SecFilterSelective "POST_PAYLOAD" "curl" "allow,nolog"
 * Lots and lots and lots of options, besides the 2 simple ones mentioned in the
   thread handy linked to.
 * A whole lot of documentation for mod_security:
 * [http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/](http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/)
 * I’ll assume youve looked over the mod_security website enough that you have a
   good idea what it does, and prevents. Personally, it’s the SQL injection attack
   and XSS protection that I appreciate the most. A close second being the php remote
   file include protection.
 * I use mod_security to its fullest. I have no troubles posting whatever content
   I want, and have experienced NO issues with installs or upgrades, and I fairly
   recently just did a server move (both hosts had it available), again, all without
   a single issue.
 * —
 * And just a commentary, “overly strict” is just that, commentary.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [19 years, 5 months ago](https://wordpress.org/support/topic/mod_security/#post-488319)
 * as for mod_dosevasive, again, I would need to ask, what, if any, issues, are 
   you having? or are you simply anticipating issues?
 * mod_dosevasive is pretty straightforward, and if youve ever looked at the output
   of ps -aux, you know how many procceses Apache can spawn.
 * For the uninformed, mod_dosevasive fights DOS attacks by blocking an IP thats
   requesting the same page more than a few times per second, or by blocking an 
   IP thats making more than 50 concurrent requests on the same Apache proccess.
   It also includes a blacklist, and checks IPs againt that list.
 * I dont see how mod_dosevasive would cause it’s own install issues, unless your
   hammering the page without fixing whatever other problem(s) might be holding 
   up your install.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Mod_Security’ is closed to new replies.

## Tags

 * [installation](https://wordpress.org/support/topic-tag/installation/)
 * [mod_security](https://wordpress.org/support/topic-tag/mod_security/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 9 replies
 * 4 participants
 * Last reply from: [whooami](https://wordpress.org/support/users/whooami/)
 * Last activity: [19 years, 5 months ago](https://wordpress.org/support/topic/mod_security/#post-488319)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics