Host does not run mod_security

[martcol]

Hello,

I recently changed my hosting and had a problem with one of my domains. I raised a ticket with the host and they fixed it and this is what they said the problem was:

The SecFilter line in your htaccess was causing a 500 error - I've removed it (it's not needed as we don't run mod_security)

Well, whatever they did got the site up OK but now I don't know if it is a good thing or a bad thing that this host does not run mod_security. I have tried reading up on it but it is a bit too techie for me.

If anyone could tell me a bit about it I would be grateful and failing that, on a scale of 1 to 10, how much should I be concerned?

Thanks

Martin

[mattmac]

I'd be at a 3 but you should familiarize yourself with a bit of what mod_security did for you in the past and make sure your website code is safe from things like sql injection and cross site scripting. Many hosts do not run mod_security because it can be a pain to manage. It can impose limits to how much data a form can submit for example which would make many clients admin tools or wysiwyg page editors break.

[martcol]

Thank you for taking the time to reply.

A 3 isn't bad!

I'm steadily learning this stuff and have done what I can to make the site secure so with the other things in place, I think I'll sleep easy.

Martin

[mmj]

Security is unfortunately very complex and just enabling a module cannot solve all your security problems. As has been mentioned, look out for SQL injection and cross site scripting vulnerabilities in your code, as those are some of the most common security problems. While mod_security claims to be able to help prevent these, it cannot ultimately be responsible for preventing all SQL injection or CSS attacks since it would need to make assumptions about your application - more than anything, when it does work it's just as likely to interfere with your site's ability to accept certain input (may not be noticed on certain sites). If you are using scripts you've obtained from elsewhere, be very sure you always keep them updated with the latest security updates. And keep good backups.

[martcol]

Thanks for chipping in...

I have done my best with security and followed as much of the advice that I can understand. I have some plugins like the password lock-down, security scan and a firewall. I've moved my wp-config, password protected my admin folder, got rid of the admin login username and use long, meaningless passwords. Phew!

Oh, and I take back-ups and keep things updated.

Martin

[martcol]

Security is unfortunately very complex...

Oh yeah!

[brianoz]

If the host doesn't run mod_security, they're ignorant about security, or don't care.

Mod_security is useful as it's another layer of protection - it covers you against 0-day exploits until you get time to update your website's code.

A good host can also couple mod_security with the firewall so that multiple hits cause an IP to be blocked.

We're a host and we do run mod_security, and it is coupled with our firewall; I'm sure we're not along although I realize many hosts don't do stuff like this.

By the way, they should also have the server hardened, and if they haven't you should choose another host. Just my opinion

[martcol]

Thanks

Martin

[brianoz]

Just to clarify - mod_security is not an all-in-all solution, but it does help. It's an important layer in a multi-layered solution, including keeping your software up to date as well as ensuring you watch for sql injection and other forms of attack.

Mod_security can impact sites, no question of that, though a good host can minimize impact by switching off the rules your site is hitting. Unfortunately the typical approach to mod_security issues is to turn it off for the entire site, usually a pity.

It's a battlefield out there these days, keeping sites secure requires a variety of solutions.