+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: MyBB 1.6 (https://community.mybb.com/forum-138.html)
+------ Forum: 1.6 General Support (https://community.mybb.com/forum-127.html)
+------ Thread: Can we mute the default htaccess rule disabling mod_security so mod_sec works fully? (/thread-177132.html)
Can we mute the default htaccess rule disabling mod_security so mod_sec works fully? - Finlan - 2015-09-01
Hey there, we noticed a long time that the .htaccess file for the forum had a rule to disable mod_security. We thought it was inserted by the Google SEO plugin but the author of the plugin said that Google SEO doesn't add that. I take it that this is a standard/default .htaccess rule to avoid getting false positives from people uploading files when posting.
In our case, we don't allow most forum members to upload files so we would rather have mod_security working fully rather than keeping it disabled. Can we mute the rule (i.e. add # to every line of the rule) without affecting the forum at all, including the Google SEO plugin?
Below is the current .htaccess rule disabling mod_security, it's at the top of the .htaccess file and then it is followed by the rewrite rules of the Google SEO plugin.
Thanks for any help.
QUICK EDIT: we asked our web host and they said that mod_security was fully working despite the mod_security disabling rule and that it was blocking hundreds of hacking attempts per day. The forum is in a directory and the homepage is a standard WP installation, so maybe mod_security is working on the WP installation but not in the MyBB forum? Regardless, we'd like to know, as per above, if we can mute the rule so that mod_security is working fully on the forum. Thanks again.
Here's the mod_sec disabling rule:
Options -MultiViews +FollowSymlinks -Indexes
#
# If mod_security is enabled, attempt to disable it.
# - Note, this will work on the majority of hosts but on
# MediaTemple, it is known to cause random Internal Server
# errors. For MediaTemple, please remove the block below
#
<IfModule mod_security.c>
# Turn off mod_security filtering.
SecFilterEngine Off
# The below probably isn't needed, but better safe than sorry.
SecFilterScanPOST Off
</IfModule>
RE: Can we mute the default htaccess rule disabling mod_security so mod_sec works fully? - liisyaoron - 2015-09-04
Watching this, I'm pretty sure that rule is from MyBB's own 'Enable search engine friendly URLs?' Which is on Config under Server and Optimizations options but I'm not sure if Google SEO doesn't have that.
RE: Can we mute the default htaccess rule disabling mod_security so mod_sec works fully? - Euan T - 2015-09-04
That rule is default for MyBB as a large number of hosts have broken ModSecurity implementations or configurations that can even prevent posting at all. You can remove that section if your host is configured correctly and ModSecurity doesn't cause any issues.