How to disable mod_security in .htaccess file

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

How to disable mod_security in .htaccess file

Filed in: Security, Weblog, WordPress — May 12th, 2008

It is quite common that mod_security is interfering the functions of your web applications. mod_security is installed and enabled by your web server admin but you can still disable it for your individual website using .htaccess file by following this tutorial.

“mod_security is an Apache module (for Apache 1 and 2) that provides intrusion detection and prevention for web applications.” — HowtoForge

Disable mod_security in .htaccess file

If you do not have one yet, an .htaccess file in the folder of your web application
To disable mod_security COMPLETELY, add the following line to the .htaccess file:
SecFilterEngine Off
OR, to disable HTTP POST scanning only, use the following instead:
SecFilterScanPOST Off
Save the file and test your web application to check whether disabling mod_security has solved your problem.

I recommend you to try SecFilterScanPOST Off first, instead of disabling mod_security completely.

My two cents

mod_security is good to protect your website but it might cause some problems for certain web applications, especially in file uploads. My server has mod_security enabled and I encountered WordPress upload error: “HTTP error”. The SecFilterScanPOST Off solved the problem immediately.

Tags: modsecurity, tips

Read also:

What do you think? Comments to “How to disable mod_security in .htaccess file”

Comments Feed |

TrackBack URL

Apple Says:
May 12th, 2008 at 8:17 am

After upgrading to WP2.5, I also have the same HTTP error problem when I want to upload files to my host via WP. I tried the fix posted by HongKiat and even tried your solution, it all didn’t work and giving me a 500 internal server error.

I already have a .htaccess file with the following setting:
# BEGIN WordPress

RewriteEngine On
RewriteBase /blog/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]

# END WordPress

Any idea how I can fix this problem?

Noorizam Shah Says:
May 12th, 2008 at 8:44 am

until now, i still dont know how to solve this problem.

Neo Says:
May 12th, 2008 at 1:02 pm

This is one tactic that all web site owners should know.

Syahid A. Says:
May 12th, 2008 at 1:04 pm

I’ve experienced the same problem too and this is how I solve the problem. Nice to share it, Liew.

zaifulzin Says:
May 13th, 2008 at 1:45 am

Apple you should refer to your hosting technical support, some hosting not allowed full access to modified htaccess file. Some of recommend to me by other user before is to change the file name from .htaccess to _htaccess. I didnt try but you can try it yourself coz my problem solved when i file a complain to my hosting technical support. I believe they will do it for you.

Zaiful Zin

Apple Says:
May 13th, 2008 at 5:16 am

@zaifulzin ,
Thank you for the suggestion. I tried to contact my hosting technical support before, but I haven’t receive any feedback. Perhaps I should try again.

nasrun Says:
May 13th, 2008 at 11:49 am

Sorry for asking, I am newbies.

Why should we disable this function? It is good for our website or blog?

Diana Tan Says:
May 13th, 2008 at 2:20 pm

I recently had to add some codes to my .htaccess to stop a redirection put in by an unauthorised bloke.

LcF Says:
May 13th, 2008 at 7:11 pm

@nasrun: mod_security is good to protect your website. However, if it conflict with your web application, we have to disable it. It is better to have mod_security enabled if you have the choice.

#10

nasrun Says:
May 13th, 2008 at 7:18 pm

Thanks LiewCF for the information. It is very usefull..

#11

dicky Says:
May 14th, 2008 at 4:14 pm

Doing so will immediately solve the file/image uploading problem. I face this problem before but after disable mod_security, i manage to solve this issue.

#12

e1d Says:
May 15th, 2008 at 10:15 am

I think wordpress should create a default .htaccess file and put it together with thier installation. Because wordpress developer know their products so well and know whats good and whats bad for wordpress.