PanelAlpha Documentation
Back Home
Live Demo Get Started

WAF/ModSecurity

Documentation

    # WAF/ModSecurity

    • Prerequisites
    • Overview
    • ModSecurity Mode
      • Off
      • Detection Only
      • Blocking
    • Rule Sets
      • OWASP Core Rule Set
      • Managing Rule Sets
      • Adjusting Loaded Config Files
    • Audit Log Files
      • Log Information
      • Viewing Audit Logs
      • Managing Audit Logs
    • Configuration Best Practices
      • Initial Setup

    The WAF/ModSecurity tab allows you to configure ModSecurity, a powerful Web Application Firewall (WAF) that protects your WordPress instances from common web attacks.

    # Prerequisites

    • Admin access to the PanelAlpha interface and the Engine server's management pages.
    • ModSecurity compiled into the web server running on the Engine (LiteSpeed, Apache, or Nginx).

    # Overview

    ModSecurity is an open-source web application firewall that:

    • Monitors HTTP/HTTPS traffic in real time
    • Protects against common web vulnerabilities (SQL injection, XSS, etc.)
    • Uses rule sets to detect and block malicious requests
    • Provides detailed audit logging for security analysis

    # ModSecurity Mode

    ModSecurity can operate in three different modes:

    # Off

    • ModSecurity is completely disabled.
    • No traffic inspection or protection.
    • Use only for troubleshooting or testing.

    Warning: Setting the mode to Off disables all WAF protection.

    # Detection Only

    • ModSecurity monitors traffic and logs potential threats.
    • Does not block suspicious requests.
    • Useful for testing rule sets without impacting users.
    • Recommended when first implementing ModSecurity.

    # Blocking

    • ModSecurity actively blocks malicious requests.
    • Full protection enabled.
    • May require rule tuning to prevent false positives.
    • Recommended for production environments after testing.

    To change modes: select the desired mode in the dropdown menu and the system will apply the change immediately.

    # Rule Sets

    The Rule Sets section displays all available ModSecurity rule sets and their status:

    # OWASP Core Rule Set

    The primary rule set displayed:

    • Rule Set — name of the rule collection (for example, "OWASP Core Rule Set")
    • Loaded Config Files — number of rules loaded versus total available (for example, 26 / 26)
    • Enabled — toggle switch to enable or disable the entire rule set

    OWASP Core Rule Set provides:

    • Protection against OWASP Top 10 vulnerabilities
    • SQL injection detection
    • Cross-site scripting (XSS) prevention
    • Local/remote file inclusion blocking
    • Command injection protection
    • Session fixation prevention

    For upstream details, see the OWASP Core Rule Set (opens new window) project.

    # Managing Rule Sets

    To enable or disable a rule set:

    1. Toggle the switch in the Enabled column.
    2. The change is applied immediately.
    3. Monitor your audit logs to verify effectiveness.

    Note: Disabling rule sets reduces your security protection. Only disable rules if they cause legitimate traffic to be blocked.

    # Adjusting Loaded Config Files

    Each rule set row includes a link on the Loaded Config Files count. Click the link to open the Loaded Config Files modal, which lists every ModSecurity config file (enabled files are pre-checked):

    • Uncheck a file to temporarily disable it without toggling the main rule set.
    • Check a file to re-enable it.
    • Save the changes; the UI immediately reflects the new set of loaded configs.

    This modal is the only way to selectively disable individual rule files while keeping the rule set enabled.

    # Audit Log Files

    The Audit Log Files section shows detailed logs of ModSecurity activity:

    # Log Information

    Each audit log entry displays:

    • File name — log file identifier (for example, audit.log)
    • Last Modified — how long ago the log was last updated (for example, "8 days ago")
    • Size — file size in MB (for example, "1.33 MB")
    • Actions:
      • [download] — download the log file for offline analysis
      • [preview] — view log contents directly in the browser

    # Viewing Audit Logs

    Audit logs contain detailed information about:

    • Blocked requests
    • Request headers and parameters
    • Triggered rules
    • Client IP addresses
    • Timestamps
    • Response actions taken

    Example log entry:

    [[DATE]:10:23:45 +0000] 192.168.1.50 - -
"GET /wp-admin/admin-ajax.php?action=../../../etc/passwd HTTP/1.1"
Rule 950000: Directory Traversal Attack
Action: Blocked

    # Managing Audit Logs

    1. Download logs regularly for archival and analysis.
    2. Review logs to identify attack patterns.
    3. Tune rules based on false positives found in logs.
    4. Monitor size — large log files may indicate high attack volume.

    # Configuration Best Practices

    # Initial Setup

    1. Start with Detection Only mode.

      • Enable ModSecurity in Detection Only mode.
      • Monitor logs for 1–2 weeks.
      • Identify any false positives.

    2. Review Audit Logs.

      • Download and analyze audit logs.
      • Look for legitimate requests being flagged.
      • Create exceptions if needed.

    3. Switch to Blocking Mode.

      • After confirming no false positives.
      • Enable Blocking mode.
      • Continue monitoring logs.