How to disable specific Web Application Firewall ModSecurity rules in Plesk

Kuzma Ivanov

Updated November 13, 2024 10:43

Plesk for Windows kb: how-to Plesk for Linux

Applicable to:

Plesk for Linux
Plesk for Windows

Question

How to disable specific ModSecurity rules for a domain or server-wide?

Answer

Note: Not all rules can be disabled due to the MODSEC-274 bug in ModSecurity.

Disabling rules for a domain

Log in to Plesk.
Go to Domains > example.com > Web Application Firewall (ModSecurity).

Note: The Switch off security rules section is visible only when the Web Application Firewall (ModSecurity) mode is set to On or Detection only.
- By rule IDs
- By rule tags
  
  In the Switch off security rules section of the page, specify rule IDs (for example, 340003), tags (for example, CVE-2011-4898), or a regular expression (for example, XSS) used in the rules that need to be switched off, and click OK.

Disabling rules server-wide

Log in to Plesk.
Go to Tools & Settings > Web Application Firewall (ModSecurity).

Note: The Switch off security rules section is visible only when the Web Application Firewall (ModSecurity) mode is set to On or Detection only.
In the Switch off security rules section of the page, you may switch off rules as follows:
- By rule IDs. Add IDs from the error message to the Security rule IDs field as shown on the following picture (Click to enlarge) and apply the changes.
  
  Note: If there are several rule IDs, put each on a new line.
- By rule tags. Add rule tags from the error message from Active to Deactivated as shown on the following picture (Click to enlarge) and apply the changes.

Note: the Rule ID is written in body message of the error. For example in the error below:

CONFIG_TEXT: ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/robots.txt"] [unique_id "XPsROH8AAQEAABEiZFcAAABC"]

the Rule ID is 949110

Comments

2 comments

Pascal Devif
May 03, 2023 09:51 (Edited May 03, 2023 14:47)

Hi,
Ok thx.
If you want to disable a rule for a specific folder use this :

<IfModule mod_security2.c>
# General rules
SecResponseBodyLimit 536870912
SecRuleRemoveById 999777
# A comment
<Directory /var/www/vhosts/domain.tld/httpdocs/yourfolder>
SecRuleRemoveById 999888
</Directory>
</IfModule>

Replace domain.tld and yourfolder with correct informations for you ...

1
vincenzo pasqualino
March 24, 2025 11:39

There is some list of trusted ID rules to be included at a general level

0

Please sign in to leave a comment.