Search our site for answers
Help Docs Control Panel Guides The Ultimate Guide to the Plesk Control Panel (2025) Security in Plesk Modsec in Plesk (Linux)

Modsec in Plesk (Linux)

Manage ModSecurity in Plesk (Linux): Whitelist rules (global, folder, file, domain), disable, & adjust body size. Reconfigure Apache.
Control Panel Plesk
3 min read
Overview

ModSecurity (modsec) is a powerful web application firewall (WAF) that helps protect your websites from malicious attacks. In Plesk on Linux, you may occasionally need to whitelist a rule or disable ModSecurity for a specific file, folder, or domain.

This guide explains how to manage ModSecurity in Plesk, including how to whitelist rules, disable the firewall per domain, and handle large response body errors.

Before you begin

First, confirm your Plesk version. Some steps differ based on the version you’re running.

cat /usr/local/psa/version
Locate the ModSecurity error

Before making any changes, locate the relevant ModSecurity error in the domain’s error log or the Apache logs. This will help you identify which rule ID to modify or disable.

Edit or create the vhost.conf file

Once you know the rule you want to adjust, you can modify the domain’s Apache config. Depending on your Plesk version, use the appropriate file path:

For older versions:
vim /var/www/vhosts/domain.com/conf/vhost.conf
For newer versions:
vim /var/www/vhosts/system/domain.com/conf/siteapp.d/vhost.conf

or

vim /var/www/vhosts/system/domain.com/conf/vhost.conf
Note

If the file doesn’t exist, you can create it. The file should be owned by root.

Whitelisting ModSecurity rules

There are several ways to disable or whitelist a ModSecurity rule:

Global whitelist (all domains)

You can comment out or remove the rule directly in the configuration file:

/etc/httpd/modsecurity.d/

Alternatively, you can whitelist specific rules in:

/etc/httpd/modsecurity.d/lwrules/whitelist.conf
Folder-Level whitelist
<LocationMatch "/">
  SecRuleRemoveById 960017
</LocationMatch>
File-Level whitelist
<LocationMatch "/gallery3/zp-core/admin-themes-editor.php">
  SecRuleRemoveById 950013
</LocationMatch>
Domain-Level disable

To fully disable ModSecurity for a specific domain:

<IfModule mod_security2.c>
  SecRuleEngine Off
</IfModule>
Reconfigure Apache to apply changes

After modifying the vhost file, you must reconfigure the domain in Plesk for the changes to take effect.

For Plesk 9.5 or Earlier:
/usr/local/psa/admin/bin/websrvmng -u --vhost-name=domain.com
service httpd restart
Warning

Do not use websrvmng on Plesk 10 or later — it is deprecated and may break the psa database.

For Plesk 10 or Later:
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain domain.com
service httpd restart
Adjusting response body size limit

If you see this error in your domain’s logs:

ModSecurity: Output filter: Response body too large (over limit of 2048576, total length not known).

You can increase the limit globally or per domain.

Global adjustment

Edit the ModSecurity CRS configuration:

vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

Find or add the following:

SecResponseBodyLimit 10000000
Domain-Level adjustment (vhost.conf)
<IfModule mod_security2.c>
  SecResponseBodyLimit 10000000
</IfModule>

After changes, restart Apache:

service httpd restart
Summary

This guide covers how to manage ModSecurity (modsec) in Plesk on Linux servers, including identifying and resolving WAF-related issues. It walks you through locating ModSecurity errors, editing or creating the appropriate vhost.conf file based on your Plesk version, and applying rule whitelisting globally, by folder, file, or domain. The guide also explains how to safely reconfigure Apache to apply changes and how to increase the ModSecurity response body size limit to prevent related errors.

Was this article helpful?