Mod_Security

Hard to say, since most hosts won’t tell you what their ruleset includes.

I don’t have a clue – never heard of mod_dosevasive for one thing. For another, the host I left because of mod_sec problems never would tell me what they changed.

I have read that mod_security causes some issues with WordPress installations. Is it worth the workarounds to have mod_security installed?

Ive been waiting for 10 hours to respond to this thread —

What specifically have you read regarding mod_security affecting installs? And where?

Thats the best place to start before answering too many questions.

Since we dont know what youve read, or where, its hard to tell you if its worth it. What you read might be accidently inaccurate, or purposefully false.

I can say with some assuredness that mod_security is mistakenly blamed for quite a few things on these forums, and ought not to be.

In other words, _generally_ uneducated people speak up without doing their homework first, (as happens everywhere, I fairly need to to add).

—

Now again, This, therefore, is a general reply to your question.

mod_security is worth ANY troubles, and the primary reason why I say is that its flexible, can be “turned off” if any different number of ways, and prevents a whole shedload of malicious things from happening.

Need to turn it off, adjust, etc..:

Add:

SecFilterEngine Off

to any .htaccess.

You obviously already know that .htaccess bits are inherited, so I dont need to explain that you could protect one directory but not another.

Just want to protect certain files:

Or ..

if you just want to have certain files do this, heres a good example:

SecFilterEngine On
SecFilterSelective "REQUEST_URI" "/wp-admin/edit.php" "allow,nolog"

Or lets say you want to have an override for a word already listed in your modsecurity.conf:

SecFilterEngine On
SecFilterSelective "POST_PAYLOAD" "curl" "allow,nolog"

Lots and lots and lots of options, besides the 2 simple ones mentioned in the thread handy linked to.

A whole lot of documentation for mod_security:

http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/

I’ll assume youve looked over the mod_security website enough that you have a good idea what it does, and prevents. Personally, it’s the SQL injection attack and XSS protection that I appreciate the most. A close second being the php remote file include protection.

I use mod_security to its fullest. I have no troubles posting whatever content I want, and have experienced NO issues with installs or upgrades, and I fairly recently just did a server move (both hosts had it available), again, all without a single issue.

—

And just a commentary, “overly strict” is just that, commentary.