ModSecurity Rules update – 10 January

The ModSecurity Web Application Firewall (WAF) adds an extra layer of security to website, blocking common website attacks. This is an invaluable tool to keep our hosted websites safe. Our previous rule set of choice (that was kindly provided by Comodo) has reach end-of-life. Today, we switched our WAF rule set to that of OWASP. This will enable us to stay up to date and protect against emerging threats. But it may also lead to a few hiccups initially…

The OWASP core rule set provides a strong set of tests that vary in complexity from simple to very complex. It is impossible to have one set of rules that will a) protect all hosted websites (with widely varying functionality) against all attacks and b) at the same time not encounter false positives (i.e. triggering on character sequences that seem suspicious when there is in fact no mal intent). To strike a balance between security and convenience, we are using the new ruleset on its least invasive “paranoia level 1” setting.

False positive will inevitably occur. If you unexpectedly experience a 403 error, e.g. while updating your WordPress website, then it may be a ModSecurity false positive. You can check whether ModSecurity is interfering by temporarily disabling it in your cPanel and repeating the same action. If you are certain that ModSecurity in interfering, please contact us to investigate and disable to rule in question for your website.

Because it offers a valuable layer of protection against attacks, we recommend you NOT permanently disable ModSecurity.