How to disable Mod_Sec for a specific folder/file

On a WordPress website that is protected with ModSecurity, when admin edits pages using Elementor or Gutenber in wp-admin dashboard, ModSecurity may falsely detect it as XSS attack.

What we usually do is disable specific rules that create this false positive, but in this case, it is because HTML/JS code is submitted. So it is better just to disable ModSecurity for the specific URL that causes this error.

To do this, add following code to Apache VirtualHost entry for this web site.

<If "%{REQUEST_URI} =~ m#//wp-admin/admin-ajax.php#">
    SecRuleEngine Off

<If "%{REQUEST_URI} =~ m#/wp-admin/ajax.php#">
    SecRuleEngine Off

This will disable ModSecurity for URLs /wp-admin/admin-ajax.php and /wp-admin/ajax.php

If instead you want to disable Mod_Sec completely for a specific domain in cPanel, you can learn how to do exactly that here.

Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.