How to Disable Mod_Security in .Htaccess File

How can I disable mod_security in .htaccess file?

It is possible to do this, but most likely your host implemented mod_security for a reason. Be sure they approve of you disabling it for your own site.

That said, this should do it;

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

How to disable mod_security and mod_security2 in .htaccess

Displaying a message telling to contact server administrator will be the last thing to do. First of all I'll try one of this solutions for automatic config creation:

Create 2-3 sandboxed .htaccess configs in subfolders

1. During plugin activation test configs one by one with simulated remote AJAX test
2. Start from the best general settings config subfolder
3. Check for AJAX proxy script calls and image, style etc. files access in this folder
4. After finding successful(unblocking and not crashing) config, save selected .htaccess file to the folder containing AJAX proxy PHP file
5. If none of the configs (or built-in wordpress AJAX script - not very reliable) is functional display an error telling to contact server admin to allow htaccess for given folder

OR

1. Check loaded modules with PHP
2. add SecRuleRemoveById id only if mod_security2 is present to prevent
   basic mod_security crashing

Turn off mod_security for a page in shared hosting environment

Take a look at some mod_security and .htaccess tricks. There's a lot of different ways you can enable or disable mod_sceurity. The easiest may be to set the MODSEC_ENABLE environment variable to On or Off. You can use SetEnvIf to match against a number of things including the Request_URI:

SetEnvIf Request_URI your_page\.php$ MODSEC_ENABLE=Off

Or a number of pages:

SetEnvIf Request_URI ^/directory/file.*\.php$ MODSEC_ENABLE=Off

Or if you need to do something more complicated, like matching against a query string, using mod_rewrite:

RewriteEngine On
RewriteCond %{QUERY_STRING} example_param=example_value [NC]
RewriteRule ^path/your_file\.php$ - [E=MODSEC_ENABLE:Off]

Removing modsecurity rule via .htaccess

Is it really the saving of the file that is the problem? I find it hard to imagine, seeing as that isn't Apache's jurisdiction at atll. Isn't it rather the query being in a query string that is causing trouble?

You might be able to circumvent that e.g. by base64 encoding the query (if the 33% size increase doesn't test the URL's size limits), or storing the query in a session variable and passing only a unique random key pointing to the variable.

Edit: if you're really transmitting live SQL queries that you later execute - don't do it. It's exactly the reason why this mod_security filter exists.

either way, phpMyAdmin, a database management tool, has the same problem: It transmits live queries for running. There is a number of posts dealing with phpMyAdmin and mod_security. This one suggests a number of other filter IDs to disable. (Ideally, you would do this only for the one file that needs to receive the POST data.)

---

Related Topics