Table of contents

What is ModSecurity?Why use ModSecurity?1. Install ModSecurity2. Configure CRS3. Add custom rules4. Troubleshooting5. Monitoring and maintenanceGet startedAdditional resources

Get the industry’s fastest hosting for WordPress◦ 99.999% uptime
◦ Comprehensive security
◦ 24/7 support

WordPress Guide → Security → ModSecurity

Comprehensive guide to securing WordPress with ModSecurity

A laptop computer shows command line code for ModSecurity on WordPress

WordPress is a powerful and widely-used content management system, known for its flexibility, robust features, and extensive support community. However, its popularity also makes it a frequent target for hackers aiming to exploit vulnerabilities.

While keeping WordPress core, themes, and plugins updated is a critical first step in securing your website, implementing ModSecurity (commonly referred to as “modsec”) provides an additional, powerful layer of protection.

This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.

We will reference and utilize the following programming languages:

Bash/shell scripting: For executing server commands to install and configure ModSecurity on web servers like Apache and NGINX.
ModSecurity rules syntax: A domain-specific language (DSL) used to create and customize rules for the ModSecurity Web Application Firewall.
HTML (in ModSecurity rules): For identifying and applying security measures to WordPress-specific files and locations, such as /wp-login.php.

What is ModSecurity?

ModSecurity acts as a web application firewall (WAF), filtering and analyzing HTTP traffic to block malicious activity before it reaches your website.

Why use ModSecurity for WordPress?

ModSecurity is a versatile tool that protects against a wide array of attacks, such as brute force login attempts, SQL injection, and cross-site scripting (XSS). Unlike WordPress-specific security plugins, ModSecurity operates at the server level, providing a unified defense for all WordPress installations while limiting resource consumption.

Furthermore, its logging capabilities provide valuable insights into potential threats, helping administrators stay proactive in their security measures. By offloading much of the security workload to the server level, ModSecurity simplifies the management of WordPress security.

Get secure hosting for WordPress

All plans include automatic ModSec, free SSL certificates, daily backups, and Solid Security Pro.

Explore managed WordPress

Step 1: Installing ModSecurity

Before installing ModSecurity on Apache or NGINX, you’ll need to log into your server with administrative privileges via SSH. Ensure that your server has an updated package manager (e.g., apt for Debian/Ubuntu or yum for CentOS) and verify that you have sufficient permissions to install software and modify server configurations.

If you’re working on a production server, it’s highly recommended to create a backup or test the installation on a staging environment to avoid unintended disruptions. Once logged in and prepared, you can proceed with the installation steps specific to your server type.

How to install ModSecurity

For Apache

sudo apt install libapache2-mod-security2

For NGINX

ModSecurity needs to be compiled as a module or installed via a supported package. Refer to the ModSecurity documentation for detailed instructions.

How to enable ModSecurity

For Apache

sudo a2enmod security2
sudo systemctl restart apache2

Step 2: Configure ModSecurity with the OWASP Core Rule Set (CRS)

The ModSecurity Core Rule Set (CRS) is a comprehensive, open-source set of predefined rules designed to detect and block a wide range of web application threats.

Download the CRS

sudo apt install modsecurity-crs

Alternatively, download the latest version from the OWASP CRS GitHub repository.

Configure ModSecurity to use CRS

Update your .config file

Update your modsecurity.conf file to include the CRS:

IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/rules/*.conf

Restart the server

sudo systemctl restart apache2

ModSecurity CRS is modular and highly customizable, allowing administrators to fine-tune the rules to suit specific website needs while minimizing false positives.

Step 3: Adding custom rules for WordPress

To address specific WordPress vulnerabilities, such as brute force login attempts, follow these steps.

Locate the ModSecurity custom rules file

For Apache, this is typically:

/usr/local/apache/conf/modsec_user_rules.conf

Add the following rules to block brute force attempts

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<LocationMatch "/wp-login.php">
# Detect brute force login attempts.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'IP address blocked for 5 minutes due to excessive login attempts.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>

Restart Apache or NGINX after making changes

sudo systemctl restart apache2

Step 4: Troubleshooting common issues

ModSecurity can occasionally interfere with WordPress functionality, such as forms or plugins. Here’s how to troubleshoot.

Identify problematic rules

Review ModSecurity logs (typically located at /var/log/apache2/modsec_audit.log). If you notice legitimate traffic being blocked, note the rule ID responsible and cross-reference the rule ID in your ModSecurity rules file.

Disable specific rules

Temporarily disable problematic rules by adding exceptions to your custom rules file. Here’s an example:

SecRuleRemoveById 981176

Step 5: Regular monitoring and maintenance

Monitor logs regularly

Use tools like grep to analyze logs and find patterns of interest:

grep "ModSecurity" /var/log/apache2/modsec_audit.log

For NGINX, it may be at:

/var/log/nginx/modsec_audit.log

Keep ModSecurity and CRS updated

Periodically update the rule sets. Updating the CRS ensures that your ModSecurity setup can effectively detect and mitigate new attack vectors.

sudo apt update && sudo apt upgrade

For convenience, you can automate CRS updates by setting up a cron job to pull the latest rules from the OWASP GitHub repository at regular intervals. This example command runs weekly (at 3 AM on Sundays) to fetch updates:

0 3 * * 0 cd /etc/modsecurity.d/owasp-crs && git pull && systemctl restart apache2

Start using ModSecurity with WordPress today

With proper installation, configuration, and maintenance, ModSecurity serves as a robust defense mechanism that complements other security practices, ensuring a secure and reliable hosting environment.

By integrating ModSecurity with WordPress, you can significantly enhance your website’s security, protecting it from brute force attacks and other malicious threats.

Integrate ModSecurity easily with any Liquid Web WordPress hosting plan, including WordPress VPS and WordPress dedicated hosting. Or, learn more about Imunify360 – a web application firewall with plentiful rules for WordPress and plugins.