How to Enable ModSecurity for Client Accounts in WHM?
ModSecurity is a Web Application Firewall (WAF) that protects websites from SQL injection, cross-site scripting (XSS), and other common attacks. You can enable it globally for all client accounts from WHM.
Enable ModSecurity in WHM
- Login to WHM.
- Go to Security Center → ModSecurity.
- You will see a list of all your domains/accounts with their current ModSecurity status.
- To enable for all accounts:
- Click Enable All at the top of the list.
- To enable for a specific account:
- Find the domain in the list.
- Toggle the switch to On for that domain.
ModSecurity is now active. It will automatically block malicious requests to all protected websites.
Disable ModSecurity for a Specific Domain
Sometimes ModSecurity blocks legitimate requests (false positives). If a client reports a specific feature of their site is broken after enabling ModSecurity:
- Go to WHM → Security Center → ModSecurity.
- Find the client's domain.
- Toggle the switch to Off for that domain only.
Common ModSecurity False Positives
- Contact form submissions returning 403 Forbidden errors.
- WordPress admin panel actions getting blocked.
- File uploads failing with permission errors.
- E-commerce checkout processes being interrupted.
Note: Disabling ModSecurity for a specific domain reduces that site's protection. Advise clients to use security plugins (e.g., Wordfence for WordPress) as an additional layer of protection.
If you continue to face issues, please open a create a request.
