> ## Documentation Index
> Fetch the complete documentation index at: https://speedypage.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# ModSecurity

> How ModSecurity protects your website and how to enable, disable, or troubleshoot it in cPanel.

ModSecurity is a web application firewall (WAF) that inspects incoming requests and blocks those that match known attack patterns: SQL injection, cross-site scripting, and other common exploits. SpeedyPage uses LiteSpeed, which is fully compatible with ModSecurity and its rulesets.

ModSecurity is enabled by default on all SpeedyPage Web Hosting accounts. You should leave it on unless you have a specific reason to disable it.

## How ModSecurity works

When someone visits your website or submits a form, ModSecurity checks the request against a set of security rules before it reaches your application. If a request matches a rule, ModSecurity blocks it and returns a `403 Forbidden` error.

This protects against many attacks automatically, but occasionally a legitimate request triggers a rule (a false positive). When that happens, you can temporarily disable ModSecurity for the affected domain while you troubleshoot.

## Enable or disable ModSecurity

Log in to cPanel through your [client area](https://my.speedypage.com) or at `yourdomain.com/cpanel`. Go to **Security** > **ModSecurity**.

### All domains at once

* Click **Enable** to turn ModSecurity on for every domain on your account.
* Click **Disable** to turn it off for every domain. A confirmation prompt will appear — click **Disable All** to confirm.

### Individual domains

You can control ModSecurity per domain in the domain list below the global toggle. Set a domain to **On** or **Off** as needed.

<Note>
  ModSecurity must be enabled globally (using the **Enable** button) before you can configure individual domains. If it's disabled globally, the per-domain settings have no effect.
</Note>

## Troubleshooting false positives

If ModSecurity blocks a legitimate request — for example, saving a page in WordPress or submitting a form — you'll typically see a `403 Forbidden` error.

<Steps>
  <Step title="Confirm ModSecurity is the cause">
    Disable ModSecurity for the affected domain in cPanel. If the request works with ModSecurity off, you've found the cause.
  </Step>

  <Step title="Check your error logs">
    In cPanel, go to **Metrics** > **Errors** to see recent error log entries. ModSecurity blocks are logged with the rule ID that triggered. Note this rule ID if you plan to contact support.
  </Step>

  <Step title="Contact support if needed">
    If you need a specific rule excluded for your account, [contact SpeedyPage support](https://my.speedypage.com/submitticket.php) with the rule ID and a description of what you were doing when the block occurred.
  </Step>

  <Step title="Re-enable ModSecurity">
    Once the issue is resolved, turn ModSecurity back on for the domain. Don't leave it disabled longer than necessary.
  </Step>
</Steps>

<Warning>
  Disabling ModSecurity removes all WAF protection for that domain. Only disable it temporarily for troubleshooting, and re-enable it as soon as possible.
</Warning>

For other ways to protect your hosting account, see [Hosting security best practices](/web-hosting/security-best-practices).