cPanel: How to disable mod_security2 for account or path

To disable mod_security2 from cPanel server,

1. Create the following folder.

/usr/local/apache/conf/userdata/std/2/username/domain.com

2. Create a file name disabled_modsec2.conf in the above path.
3. Enter the following line if you want to disable mod_security2 for whole domain.

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

For specific path,

<LocationMatch your_path>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>

4. Run the following script from root access.

/scripts/ensure_vhost_includes –user=username

 Alternatively,
Edit the following file,

/usr/local/apache/conf/modsec2.conf

Enter the information below,

SecRule SERVER_NAME "domain.com" phase:1,nolog,allow,ctl:ruleEngine=off

Replace the domain.com will do.

Allow allow_url_fopen on cPanel server

Sometimes, you might want to enable allow_url_fopen from your account for some purpose.

To enable the allow_url_fopen, you may need to understand if you are using a suPHP server.

With non phpsuexec or suphp server,
1. Go to /usr/local/apache/conf/ path,
cd /usr/local/apache/conf/
2. Open the file named /usr/local/apache/conf/httpd.conf and find if you got the line with “Include “/usr/local/apache/conf/…”
3. Remove the # symbol if it is there.
4. Create the file in userdata according to step 2 where the username should replace with your cPanel username.
vi /usr/local/apache/conf/userdata/<number>/<username>/allowurl.conf
5. Add the following command and save it.
<IfModule mod_php5.c>
php_admin_value allow_url_fopen On
php_admin_value allow_url_include On
</IfModule>
6. Run the following command,
/usr/local/cpanel/bin/apache_conf_distiller –update
/usr/local/cpanel/bin/build_apache_conf
service httpd restart

With suPHP server,
1. Copy the default php.ini to your user folder where username is your cPanel username.
cp /usr/local/lib/php.ini /home/<username>/public_html/
2. Change the value as,
allow_url_fopen = On

How to disable mod_security for an account

Sometimes, you might want to disable the mod_security applied to the virtual server and you might wonder how to do it.

If you are using Apache with mod_security, it could be done from the configuration file.

However, you have to understand the Apache version and mod_security version that you used.

Normally, a hosted server will use Apache 1.x with mod_security 1.x and Apache 2.x with mod_security 2.x.

To find out the Apache version, you may use the following command.

httpd -v

With mod_security 1.x, you may use the following command from each of the virtual host path and add into the .htaccess file.

Continue reading How to disable mod_security for an account