Skip to main content
ModSecurity is the open-source web application firewall that sits in front of every site on Noxity hosting. It inspects every HTTP request against a rule set (we use the OWASP Core Rule Set) and blocks requests that match attack patterns: SQL injection, cross-site scripting, path traversal, common exploit fingerprints, etc. The cPanel ModSecurity tool lets you turn it on and off per domain, browse the rules, and exempt rules that false-positive on traffic you actually want. Open it from cPanel home → SecurityModSecurity.
ModSecurity page with toggle per domain

Per-domain toggle

The first tab lists every domain on the account with a switch:
  • On. ModSecurity inspects requests to this domain. This is the default and the recommended state.
  • Off. Requests pass through without inspection.
Turn it off only when a rule is breaking real functionality and you can’t isolate which one. Even then, prefer to exempt the specific rule rather than disable the firewall on the whole domain.

See which rules fire

The Hit List tab shows recent requests that ModSecurity blocked or flagged. Each row has:
  • Timestamp. When the request hit the rule.
  • Rule ID. The rule that fired (e.g. 949110 is the OWASP “anomaly score exceeded” rule).
  • IP address. Where the request came from.
  • Host. Which of your domains was the target.
  • URI. The path the attacker tried to hit.
  • Action. What ModSecurity did (deny, log, pass).
Click a row to see the full request body and the rule definition. Useful for two things: confirming the firewall is doing its job, and diagnosing false positives.

Exempt a rule

If a real visitor or your own legitimate WordPress plugin is tripping a rule, exempt the rule rather than disabling ModSecurity wholesale.
1

Find the Rule ID in the Hit List

Reproduce the failure, refresh the Hit List, copy the Rule ID of the row that matches.
2

Open the Hit List entry

Click the row. cPanel shows full context: the request body, the matched pattern, and a Disable Rule button.
3

Disable the rule

Click Disable Rule. cPanel writes an exemption that disables the rule for your account. The action is immediate, no restart needed.For per-domain or per-path exemptions (rather than account-wide), open a ticket; we’ll write a more targeted SecRuleRemoveById directive into your VirtualHost.

Common rule classes

Rule rangeWhat it catches
941xxxCross-site scripting (XSS) attempts
942xxxSQL injection
943xxxSession fixation
944xxxJava / Apache Struts exploits
949xxxAnomaly score thresholds (the “summary” rules)
980xxxOWASP CRS internal correlation rules
218xxx, 219xxxBot detection and rate limiting (vendor extensions)
A request can match several rules; the anomaly score adds them up and trips a single 949xxx block once it crosses the threshold.

Common issues

Some 942xxx SQL injection rules are aggressive about quote characters and SQL keywords. A user typing don’t in a contact form can match. The fix is a per-rule exemption (Disable Rule on the specific rule ID), not turning the firewall off.
File upload often triggers 941 (XSS) on filenames containing characters like <, >, ;. Rename the file before uploading, or exempt the upload endpoint via a ticket.
Page builders like Elementor and Divi POST big chunks of HTML and JavaScript that look like XSS to a generic rule. There’s a known set of rule IDs to exempt for each major builder; open a ticket with the page builder name and we’ll apply the standard exemptions.
ModSecurity is off on that domain (check the toggle), or the attack didn’t match a CRS rule. Layered defense (Imunify360, Cloudflare WAF) catches what the rule set misses.

Need a hand?