How ModSecurity works
When someone visits your website or submits a form, ModSecurity checks the request against a set of security rules before it reaches your application. If a request matches a rule, ModSecurity blocks it and returns a403 Forbidden error.
This protects against many attacks automatically, but occasionally a legitimate request triggers a rule (a false positive). When that happens, you can temporarily disable ModSecurity for the affected domain while you troubleshoot.
Enable or disable ModSecurity
Log in to cPanel through your client area or atyourdomain.com/cpanel. Go to Security > ModSecurity.
All domains at once
- Click Enable to turn ModSecurity on for every domain on your account.
- Click Disable to turn it off for every domain. A confirmation prompt will appear — click Disable All to confirm.
Individual domains
You can control ModSecurity per domain in the domain list below the global toggle. Set a domain to On or Off as needed.ModSecurity must be enabled globally (using the Enable button) before you can configure individual domains. If it’s disabled globally, the per-domain settings have no effect.
Troubleshooting false positives
If ModSecurity blocks a legitimate request — for example, saving a page in WordPress or submitting a form — you’ll typically see a403 Forbidden error.
Confirm ModSecurity is the cause
Disable ModSecurity for the affected domain in cPanel. If the request works with ModSecurity off, you’ve found the cause.
Check your error logs
In cPanel, go to Metrics > Errors to see recent error log entries. ModSecurity blocks are logged with the rule ID that triggered. Note this rule ID if you plan to contact support.
Contact support if needed
If you need a specific rule excluded for your account, contact SpeedyPage support with the rule ID and a description of what you were doing when the block occurred.