how to add mod security exception


I have installed Mod Security using the following instructions: <a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-modsecurity-with-apache-on-ubuntu-14-04-and-debian-8" rel="nofollow">https://www.digitalocean.com/community/tutorials/how-to-set-up-modsecurity-with-apache-on-ubuntu-14-04-and-debian-8</a>

It seems to be working fine, but I don't seem to be able to create exceptions for example for the WordPress login. I have added the following to my virtualhost file:

<Directory "/var/www/domain.com/public_html/wp-admin"> <IfModule security2_module> SecRuleEngine Off </IfModule> </Directory>

I have also tried the following:

<LocationMatch "/wp-admin"> <IfModule security2_module> SecRuleEngine Off </IfModule> </LocationMatch>

And different combinations of both.

I'm running Ubuntu 16.04.2 but I guess it's the same as for 14.04, right?


ModSecurity runs at several different phases. The first phase runs before any Directory or Location rules are processed. So turning ModSecurity off like this just won't work as by the time Apache gets round to processing that config it will be too late.

The better way to do this is to write a ModSecurity rule to "allow" these locations:

SecRule REQUEST_URI "@beginsWith /wp-admin" "phase:1,id:12345,allow"

Or alternatively dynamically turn off ModSecurity for the rest of this request (which will have basically the same effect as above):

SecRule REQUEST_URI "@beginsWith /wp-admin" "phase:1,id:12345,ctl:ruleEngine=off"

It's important that either of these rules is defined <strong>before</strong> any other rules, to ensure the other rules don't block requests before the above rule(s) take effect.

However I would say that wp-admin is one of the most likely attack locations on a WordPress site so note sure why you would go through the hassle of installing ModSecurity and then decide not to protect that particular URL with it!


  • Apache Mod Rewrite all incoming urls to https://www
  • Wordpress “Post name” permalinks not working
  • Can't access index in folder when rewrite engine removes .php and .html
  • Non-wildcard certificates with dynamic apache vhosts
  • Swiftmailer email message returns error when attaching file
  • Wordpress header external php file - change title?
  • Google Maps v3 with MeteorJS loading sync issue
  • Apache redirect from root
  • WordPress MysqlError: Unknown storage engine 'InnoDB' [duplicate]
  • gulp.watch running same task multiple times when saving many files
  • Error Processing Request: Mage registry key “_singleton/inchoo_notes/feed_updates” already exists
  • Why is django manage.py syncdb failing to create new columns on my development server?
  • Changing Jupyter Notebook start up folder by modifying “start in” not working any more
  • Configure nginx to return different files to different authenticated users with the same URI
  • How to override value that appears in a dropdown in the rails_admin gem
  • jwtBearer bearer token with rc-1 update to ASP.Net 5
  • Web.config system.webserver errors
  • Should I or shouldn't I use the CachingConnectionFactory with hornetq 2.4.1
  • Email verification using google app script and google forms
  • $wpdb not working in file of WordPress plugin
  • Checking free space on FTP server
  • Change Inet root folder for iis 7
  • Updated Ionic CLI but shows previous version (Windows)
  • Run Powershell script from inside other Powershell script with dynamic redirection to file
  • How to delete a row from a dynamic generate table using jquery?
  • Load html files in TinyMce
  • How can I get HTML syntax highlighting in my editor for CakePHP?
  • using HTMLImports.whenReady not working in chrome
  • How do you join a server to an Active Directory (domain)?
  • coudnt use logback because of log4j
  • How to get Windows thread pool to call class member function?
  • IndexOutOfRangeException on multidimensional array despite using GetLength check
  • Authorize attributes not working in MVC 4
  • EntityFramework adding new object to nested object collection
  • costura.fody for a dll that references another dll
  • Observable and ngFor in Angular 2
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?
  • java string with new operator and a literal