How to Enable ModSecurity in cPanel for Web Protection

ModSecurity is a Web Application Firewall (WAF) that monitors and filters all incoming traffic in order to block any destructive requests before they reach your site. It provides a common front line against attack (at the application level) and can be used with most web software such as Apache or Nginx.

On cPanel hosted websites, ModSecurity provides another level of protection. It is capable of mitigating threats such as SQL injection, cross-site scripting (XSS), remote file inclusion, failed directory traversals and automated bot attacks that can compromise site data and functionality, not to mention security of personal sensitive author records of any kind.

In this tutorial, you’ll learn all you need to know to enable and use ModSecurity in cPanel, including any prerequisites, enabling ModSecurity in cPanels and WHM, choosing and configuring rulesets, testing ModSecurity’s effectiveness, and fixing issues related to ModSecurity such as false positive blocking requests from legitimate sources or site errors.

What is ModSecurity and Why Use It?

ModSecurity is an open-source Web Application Firewall (WAF) module mainly developed for Apache, but is also available for Nginx and IIS using connectors. It examines HTTP requests in real-time and is able to apply security rules designed to prevent suspicious activity before it reaches your site. 

ModSecurity is capable of making your website safer from common web threats like SQL injection (SQLi), cross-site scripting (XSS), remote code execution (RCE), malicious file uploads, and similar attacks by making requests that are hidden in HTTP headers or by automated bots. By inspecting every request that your website is making, many vulnerabilities can be prevented from being exploited.

If you use cPanel, ModSecurity will configure itself automatically without you even having to do anything. The best part is that it keeps a detailed audit log that you can refer to in your cPanel account should attacks get blocked. ModSecurity is also a rule-based system allowing you to block traffic should you choose to. 

The following are a few terms that apply to ModSecurity: 

• There are rulesets like the OWASP Core Rule Set (CRS) that you can apply to your website. 
• Audit logs keep track of what attacks you blocked via ModSecurity
• False positives – we can get a valid request in your logs being subjected to rules that triggered a previously-used security measure.
• Whitelist and blacklisted websites or IP addresses source traffic.

Prerequisites Before You Start

Before you turn on ModSecurity, check what type of access you have. With a basic cPanel account you can usually just toggle ModSecurity on or off for your own domains. If you have WHM (Web Host Manager) access, or root access, then you can manage the rulesets, the logs, and the ModSecurity settings and operation server wide.

If you cannot see ModSecurity in cPanel, that usually means you do not have ModSecurity enabled and the hosting provider may managed ModSecurity by default. You should reach out to the support team for your hosting provider to see if you can gain access or for help configuring/assisting in some way.

It is always a good idea to take a backup of your website or create a snapshot of it prior to adding or modifying any security rules, in the event they block legitimate traffic and you wish to revert back to a known previous state quickly. To help ease the testing and activity of enabling or adjusting ModSecurity, it is recommended to plan on enabling/modifying it during a low traffic time period if possible.

Method 1: Enable ModSecurity from cPanel (User Interface)

Step 1: Open ModSecurity in cPanel

Log in to your cPanel account and navigate to the Security section. Click on ModSecurity to open its settings page. Here, you will see a list of all domains connected to your account. Each domain comes with a control option that allows you to turn the firewall on or off:

Step 2: Enable Protection and Choose Ruleset

Select the domain where you want to enable ModSecurity. Switch the firewall to ON to activate real-time traffic monitoring and filtering. If your hosting provider offers multiple vendor rulesets, such as the OWASP Core Rule Set (CRS), choose the recommended one before saving the changes:

Enabling a strong ruleset ensures ModSecurity can detect and block a wide range of common web attacks effectively.

Step 3: Apply and Confirm Activation

Once you save the settings, ModSecurity begins protecting the selected domain immediately. It will block any malicious requests that match the configured rules before they can harm your website.

Step 4: Contact Support if Option Missing

If you do not see ModSecurity in cPanel, it often means your hosting provider manages it at the server level or requires configuration through WHM. In such cases, reach out to the hosting support team or ask the server administrator to enable the firewall for your account.

Step 5: Test the Website After Enabling

With ModSecurity active, test your site to ensure everything loads correctly and no legitimate requests are blocked unnecessarily.

Method 2: Enable ModSecurity from WHM (Server Admin)

Step 1: Access ModSecurity Settings in WHM

Log in to WHM as the root or server administrator. In the left-hand menu, scroll to the Security Center section and click on ModSecurity™ Configuration. This area allows you to control the ModSecurity engine globally for all cPanel accounts hosted on the server.

Step 2: Enable the ModSecurity Engine

Inside the configuration screen, turn the ModSecurity engine to On. This ensures the firewall module actively monitors incoming requests across all domains on the server. Enable logging as well so you can track blocked requests and review potential false positives later.

Step 3: Install or Update Rulesets

Go to the ModSecurity™ Vendors section to manage your rulesets

If not already installed, add a vendor such as the OWASP Core Rule Set (CRS) or other reputable providers like Atomicorp. After adding the vendor, update the rules to the latest version for maximum protection against current threats.

Step 4: Apply Configuration and Restart Services

Once the engine and rulesets are enabled, click Save or Deploy to apply the changes. Some servers may require you to restart Apache or LiteSpeed for the new settings to take effect.

Step 5: Verify and Fine-Tune

Use the ModSecurity™ Tools section in WHM to review logs and confirm that the firewall is working as expected. If any website experiences issues due to strict rules, temporarily switch it to Detection Only mode. Identify the specific rule causing the problem, adjust or disable it if necessary, and then return the site to full protection mode.

Recommended Rulesets & Configuration Tips

The OWASP Core Rule Set (CRS) is the best starting option for ModSecurity because it already blocks common issues such as SQL injection, cross-site scripting, and remote code execution. Most hosting platforms have it enabled by default, so enabling it isn’t more than 2 clicks away.

That said, if your website is processing sensitive information or you are being attacked on a regular basis, managed rulesets such as Atomicorp or Comodo may be a better fit for you because they allow more automatic updating and better handling of false-positives and ultimately better, more real-time protection.

When you are enabling ModSecurity for the first time, it is always safest to use the Detection-Only Mode, so that before you switch to full blocking mode, you can browse your logs to observe and identify if any legitimate traffic was blocked.

It’s important to keep your rulesets updated and the audit logs reviewed regularly, so you can adjust rules as necessary and ensure that your strong security continues to be and remain strong.

How to Test ModSecurity Is Working

Once you have enabled ModSecurity, it is necessary to confirm that it is functioning correctly. The easiest way to do this is to access your website and perform typical actions, such as submitting forms and clicking on links and buttons. If the website loads properly, ModSecurity is likely functioning and processing legitimate requests.

If you’d like to perform more in-depth testing, use safe test payloads that will trigger ModSecurity rules without potentially harming your website. For example, you can try placing a harmless string such as  into an input box like a search box to check if the XSS rules are working. Any requests that are blocked should show up in the ModSecurity audit logs similar to the below example, with a rule ID and disposition for the block.

While browsing these logs using cPanel or WHM, you will be able to confirm if ModSecurity is actually filtering incoming traffic, and giving you an opportunity to catch any false positives before you move from a detection only mode to a blocking mode.

Conclusion

Enabling ModSecurity in cPanel will provide new security layers that help keep your website secure from common threats like SQL injection, cross-site scripting, and malicious bots. After enabling it via cPanel or WHM and after-setting ruleset for OWASP Core Rule Set or other reliable rulesets, it is essential to keep your ModSecurity rulesets updated regularly, enabling you with possible updates to protect against upcoming attacks. Testing your ModSecurity configuration in all security measures must begin with detection mode only as it allows you to test the firewall without interfering with legitimate site traffic.

Once you determine the implementation of ModSecurity via detection mode only doesn’t break any of your website functionality you can set default configuration back to full blocking mode configuration and review your audit logs regularly bringing awareness for possible false positives. ModSecurity simply requires little ongoing management, with strong filtering rules-based mechanism that blocks malicious requests before it enters your secured site. Together with mind and proper configuration through occasional fine tuning it remains a powerful set-and-forget security implementation for cPanel hosted secure websites.

FAQ