How to disable mod_security in .htaccess file

It is quite common that mod_security is interfering the functions of your web applications. mod_security is installed and enabled by your web server admin but you can still disable it for your individual website using .htaccess file by following this tutorial.

mod_security is an Apache module (for Apache 1 and 2) that provides intrusion detection and prevention for web applications.” — HowtoForge

Disable mod_security in .htaccess file

  1. If you do not have one yet, an .htaccess file in the folder of your web application
  2. To disable mod_security COMPLETELY, add the following line to the .htaccess file:
    SecFilterEngine Off
    OR, to disable HTTP POST scanning only, use the following instead:
    SecFilterScanPOST Off
  3. Save the file and test your web application to check whether disabling mod_security has solved your problem.

I recommend you to try SecFilterScanPOST Off first, instead of disabling mod_security completely.

My two cents

mod_security is good to protect your website but it might cause some problems for certain web applications, especially in file uploads. My server has mod_security enabled and I encountered WordPress upload error: “HTTP error”. The SecFilterScanPOST Off solved the problem immediately. 🙂

Share this:

  • After upgrading to WP2.5, I also have the same HTTP error problem when I want to upload files to my host via WP. I tried the fix posted by HongKiat and even tried your solution, it all didn’t work and giving me a 500 internal server error.

    I already have a .htaccess file with the following setting:
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /blog/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /blog/index.php [L]

    # END WordPress

    Any idea how I can fix this problem?

  • until now, i still dont know how to solve this problem.

  • Neo

    This is one tactic that all web site owners should know.

  • I’ve experienced the same problem too and this is how I solve the problem. Nice to share it, Liew.

  • zaifulzin

    Apple you should refer to your hosting technical support, some hosting not allowed full access to modified htaccess file. Some of recommend to me by other user before is to change the file name from .htaccess to _htaccess. I didnt try but you can try it yourself coz my problem solved when i file a complain to my hosting technical support. I believe they will do it for you.

    Zaiful Zin

  • @zaifulzin ,
    Thank you for the suggestion. I tried to contact my hosting technical support before, but I haven’t receive any feedback. Perhaps I should try again.

  • nasrun

    Sorry for asking, I am newbies.

    Why should we disable this function? It is good for our website or blog?

  • Diana Tan

    I recently had to add some codes to my .htaccess to stop a redirection put in by an unauthorised bloke.

  • LcF

    @nasrun: mod_security is good to protect your website. However, if it conflict with your web application, we have to disable it. It is better to have mod_security enabled if you have the choice.

  • nasrun

    Thanks LiewCF for the information. It is very usefull..

  • dicky

    Doing so will immediately solve the file/image uploading problem. I face this problem before but after disable mod_security, i manage to solve this issue.

  • e1d

    I think wordpress should create a default .htaccess file and put it together with thier installation. Because wordpress developer know their products so well and know whats good and whats bad for wordpress.