In the Virtualmin Security FAQ ( mod_security is mentioned.

Does anyone have a FAQ on “how to install/use/configure mod_security for Virtualmin” that doesn’t break most websites/Wordpress/etc???


We don’t have a tutorial regarding mod_security. However, any of the tutorials you find out on the Internet should apply to a server with Virtualmin as well.

Distros like Ubuntu and Debian provide a mod_security package with a basic set of security rules configured.

If you’re using one of those distros, you could always install the mod_security package and see it things continue to work well afterwards. You may want to install it on a test server first – though if it doesn’t work, it should just be a matter of uninstalling it, or disabling the mod_security Apache module.

Did you have any problems trying to get it working?


Oh, I got it installed and working (had to use the 2.2.5 version of the OWASP CRS found at…

The problem is THE RULES… even just the “base_rules” would cause Wordpress to mess up when installing/running plugins.

The optional_rules and slr_rules messed up even more, and the experimental_rules… nearly break everything.

I guess I’m gonna have to purchase the mod_security rules package from Atomic Turtle, because I can’t find anyone that has a “safe” base_rules set.