A Web Application Firewall (WAF) is one of the most important security tools available for protecting your website. Unlike traditional firewalls that filter traffic at the network level, a WAF operates at the application layer (Layer 7), inspecting HTTP/HTTPS requests and responses to detect and block malicious activity targeting your web applications. On SakuraHost servers, ModSecurity is the WAF engine that provides this protection. This guide explains how WAFs work, what ModSecurity protects against, and how to manage it on your hosting account.
What Is a Web Application Firewall?
A WAF sits between your website visitors and your web server, acting as a reverse proxy that inspects every HTTP request before it reaches your application. It analyzes request headers, body content, URL parameters, cookies, and other HTTP elements against a set of security rules. If a request matches a known attack pattern, the WAF blocks it before it can reach your website code.
What a WAF Protects Against
According to the OWASP Foundation, the most common web application vulnerabilities include:
| Attack Type | Description | WAF Protection |
|---|---|---|
| SQL Injection | Malicious SQL code inserted through input fields to access/modify databases | Blocks requests containing SQL syntax in unexpected places |
| Cross-Site Scripting (XSS) | Malicious scripts injected into web pages viewed by other users | Detects and blocks script injection attempts |
| Remote File Inclusion (RFI) | Forces the server to load malicious files from remote servers | Blocks requests attempting to include remote URLs |
| Local File Inclusion (LFI) | Exploits file inclusion to access sensitive server files like /etc/passwd | Detects path traversal attempts (../ patterns) |
| Cross-Site Request Forgery (CSRF) | Forces authenticated users to perform unintended actions | Validates request origins and tokens |
| Command Injection | Executes system commands through vulnerable application inputs | Blocks system command patterns in requests |
ModSecurity on SakuraHost
ModSecurity is an open-source WAF engine that runs as an Apache module on SakuraHost servers. It uses the OWASP Core Rule Set (CRS), a comprehensive collection of security rules maintained by the OWASP community. These rules are regularly updated to protect against newly discovered attack vectors.
Managing ModSecurity in cPanel
Checking ModSecurity Status
When to Temporarily Disable ModSecurity
While ModSecurity is essential for security, there are situations where it may interfere with legitimate functionality:
- False Positives: ModSecurity may block legitimate requests that happen to match an attack pattern. For example, posting content that contains code examples, SQL queries in educational content, or certain special characters.
- Plugin/Theme Installation: Some WordPress themes or plugins may trigger ModSecurity rules during installation or configuration because they make requests that resemble attack patterns.
- Custom Application Features: If you have developed custom functionality that uses unusual request patterns, ModSecurity may flag them.
Understanding ModSecurity Logs
When ModSecurity blocks a request, it generates an error log entry and returns a 403 Forbidden or 406 Not Acceptable response to the visitor. You can identify ModSecurity blocks in your error logs by looking for entries containing ModSecurity:
This log entry tells you: the client IP, the rule that matched (SQL injection detection), the specific parameter that triggered it (search_query), the rule file and ID, and the description of the detected threat.
Resolving False Positives
Method 1: Adjust Your Application Code
Often, the best solution is to modify your application to avoid triggering ModSecurity rules. For example, if a form submission is being blocked because user input contains SQL-like syntax, consider encoding or sanitizing the input before submission.
Method 2: Request Rule Exclusions
If a specific ModSecurity rule is consistently blocking legitimate functionality, contact SakuraHost Support with the following information:
- The URL being blocked
- The ModSecurity rule ID from the error log
- A description of the legitimate action being blocked
- The expected behaviour
Our team can add a targeted rule exclusion that allows your specific use case while maintaining protection against actual attacks.
Additional WAF Layers: Cloudflare
For enhanced protection, consider using Cloudflare's WAF in addition to ModSecurity. Cloudflare provides:
- Edge-level filtering: Malicious requests are blocked at Cloudflare's edge network before they even reach your server
- Managed rulesets: Cloudflare maintains its own rule sets with automatic updates for new threats
- Bot management: Advanced bot detection beyond what ModSecurity provides
- Rate limiting: Granular control over request rates per IP or per endpoint
- IP reputation: Cloudflare leverages threat intelligence from millions of websites to identify malicious IPs
Using both Cloudflare and ModSecurity creates a defence-in-depth strategy where threats must pass through two independent WAF layers to reach your application.
Security Headers
In addition to WAF protection, implementing security headers strengthens your website's defence. Add these to your .htaccess file:
You can verify your security headers using the Mozilla Observatory, which provides a grade and specific recommendations for improvement.