This guide explains how to manage the Web Application Firewall, also called WAF or ModSecurity, from your DirectAdmin hosting control panel.
The WAF helps protect your website from common malicious requests, suspicious form submissions, injection attempts, and automated attacks. In most cases, you should leave it enabled.
When Should I Change WAF Settings?
You may need to review the WAF settings if:
- A legitimate form submission is being blocked.
- A plugin, CMS admin page, or checkout process returns a 403, 406, or similar error.
- A developer asks whether ModSecurity is blocking a request.
- Support asks you to locate the blocked rule ID.
How to Access the Web Application Firewall
- Log in to your DirectAdmin control panel.
- Make sure you are in User access level.
- Go to Advanced Features.
- Click Web Application Firewall.
Depending on your DirectAdmin theme or version, this may also appear as ModSecurity.
Choosing the Correct Domain or Subdomain
If your hosting account has more than one domain, select the domain or subdomain you want to manage.
WAF settings may be handled separately for each domain and subdomain. For example, changing the WAF setting for example.com may not automatically change the setting for shop.example.com.
Recommended Setting
For normal website use, keep the WAF set to:
Enabled
This allows the firewall to inspect website requests and block suspicious traffic.
Temporarily Disabling the WAF
Only disable the WAF when troubleshooting a specific issue.
- Open Advanced Features → Web Application Firewall.
- Select the affected domain or subdomain.
- Change the WAF status to Disabled.
- Save the change.
- Test the action that was previously failing.
- Re-enable the WAF after testing.
Viewing Blocked Requests
The WAF page may show recent blocked requests. These logs can help identify what was blocked. Select the Audit Log for the affected domain.
Look for details such as:
- Date and time of the blocked request
- The affected domain
- The requested URL
- Your IP address
- The rule ID
- The reason or message shown by the firewall
The most important item is usually the rule ID. Support can use this to create a safer exception.
Disabling a Specific WAF Rule
If a legitimate website action is being blocked, you may be able to disable only the specific rule causing the issue.
- Open Advanced Features → Web Application Firewall.
- Select Audit Log next to the affected domain or subdomain.
- Review the blocked request log.
- Locate the rule ID related to the blocked request.
- Add that rule ID to the disabled rules list.
- Save the change.
- Test the website action again.
This is safer than disabling the entire WAF.
Example Troubleshooting Process
If your contact form is blocked:
- Try submitting the form again.
- Note the exact time of the test.
- Open Web Application Firewall in DirectAdmin.
- Check the recent blocked requests.
- Look for a blocked request at the same time.
- Note the rule ID and request URL.
- Contact support with those details.
What to Send to Support
When contacting support about a WAF issue, please include:
- The domain name
- The page or URL where the issue happened
- What you were trying to do
- The approximate date and time
- The error message shown in your browser
- Your public IP address, if available
- The WAF rule ID, if shown in DirectAdmin
Example Support Request
I was submitting the contact form onexample.com/contactat about 2:15 PM. The page returned a 406 error. My IP address wasx.x.x.x. DirectAdmin showed WAF rule ID123456being triggered.
Best Practices
- Keep the WAF enabled whenever possible.
- Disable only the specific rule that is causing a confirmed false positive.
- Do not disable rules based on random advice from forums or plugin vendors without reviewing the blocked request.
- Re-enable the WAF after temporary testing.
- Keep your website software, themes, and plugins updated.
- Contact support if you are unsure which rule to disable.
Important Note
Some WAF settings may be controlled globally by the hosting provider. If a setting is locked, unavailable, or you are unsure what to change, please contact support for assistance.