25th Anniversary Savings | 25% Off Dedicated Servers*Shop Now
25th Anniversary Savings | 25% Off VPS Hosting* †††Shop Now
Limited Inventory: High-Performance AMD-Powered Servers Now Available.* Shop Now >
Dedicated Hosting Deals | From $99/moShop Now

When Mod Security Attacks

Posted on by Patrick Hawkins
Reading Time: 2 minutes

One component of Liquid Web’s Server Secure service is an Apache module called Mod Security (often shortened to just “modsec”). Modsec monitors all incoming HTTP requests for malicious behavior and does not complete requests that meet certain criteria. These criteria are spelled out in what are called “rules” or “rulesets”.

In an ideal world, only malicious requests would be caught in modsec’s trap. Unfortunately, there are some instances where legitimate requests are stopped as well. How do we determine that this is what happens, and what can we do about it?

Modsec errors usually appear on a web page as either 400- or 500-level HTTP status codes. If you see a such an error on your site, the next step is to search the server’s error logs for more information on which rule is blocking the request. This command will give you all the modsec errors in Apache’s main error log:

grep -i modsec /usr/local/apache/logs/error_log | sed "s/$/\\n/"

Each line of the error is rather lengthy. The information logged includes the HTTP request that was sent, the line number and ID # of the modsec rule that was triggered, and the IP address of the computer that sent the HTTP request.

When modsec is triggered by a piece of code that performs a legitimate function of your site, it is best to have that code rewritten so as not to trigger modsec. Each of modsec’s rules catches attacks, so if modsec is treating your site code like an attack, the problem is almost always with what the site code is doing.

If you are not developing a site with your own code, and you use a reputable 3rd-party vendor for your code, you may have to resort to turning off the specific modsec rule that the site triggers. If you choose this route, it is best to restrict this whitelisting to only the one domain, rather than the entire server. While whitelisting modsec rules are beyond the scope of this article, Liquid Web’s Heroic Support team is available 24/7 to assist you with any modsec errors you come across.


Liquid Web’s Heroic Support is always available to assist customers with this or any other issue. If you need our assistance please contact us:
Toll Free 1.800.580.4985
International 517.322.0434

About the Author: Patrick Hawkins

Patrick Hawkins is a former Test Engineer and Managed WordPress admin with Liquid Web

Latest Articles

How to Edit the PHP Memory for Your WordPress Site via WP Toolkit

Read Article

What is CGI-Bin and What Does it Do?

Read Article

Top 10 Password Security Standards

Read Article

Top 10 Password Security Standards

Read Article

How to Use the WP Toolkit to Secure and Update WordPress

Read Article