Managing the Web Application Firewall in DirectAdmin Print

  • 0

This guide explains how to manage the Web Application Firewall, also called WAF or ModSecurity, from your DirectAdmin hosting control panel.

The WAF helps protect your website from common malicious requests, suspicious form submissions, injection attempts, and automated attacks. In most cases, you should leave it enabled.


When Should I Change WAF Settings?

You may need to review the WAF settings if:

  • A legitimate form submission is being blocked.
  • A plugin, CMS admin page, or checkout process returns a 403, 406, or similar error.
  • A developer asks whether ModSecurity is blocking a request.
  • Support asks you to locate the blocked rule ID.
Important: You should not disable the WAF permanently unless instructed by support. Disabling it reduces the protection on your website.

How to Access the Web Application Firewall

  1. Log in to your DirectAdmin control panel.
  2. Make sure you are in User access level.
  3. Go to Advanced Features.
  4. Click Web Application Firewall.

Depending on your DirectAdmin theme or version, this may also appear as ModSecurity.


Choosing the Correct Domain or Subdomain

If your hosting account has more than one domain, select the domain or subdomain you want to manage.

WAF settings may be handled separately for each domain and subdomain. For example, changing the WAF setting for example.com may not automatically change the setting for shop.example.com.


Recommended Setting

For normal website use, keep the WAF set to:

Enabled

This allows the firewall to inspect website requests and block suspicious traffic.


Temporarily Disabling the WAF

Only disable the WAF when troubleshooting a specific issue.

  1. Open Advanced Features → Web Application Firewall.
  2. Select the affected domain or subdomain.
  3. Change the WAF status to Disabled.
  4. Save the change.
  5. Test the action that was previously failing.
  6. Re-enable the WAF after testing.
Tip: If the issue works only when the WAF is disabled, the best fix is usually to disable the specific rule that caused the false positive, not to leave the entire WAF disabled.

Viewing Blocked Requests

The WAF page may show recent blocked requests. These logs can help identify what was blocked. Select the Audit Log for the affected domain.

Look for details such as:

  • Date and time of the blocked request
  • The affected domain
  • The requested URL
  • Your IP address
  • The rule ID
  • The reason or message shown by the firewall

The most important item is usually the rule ID. Support can use this to create a safer exception.


Disabling a Specific WAF Rule

If a legitimate website action is being blocked, you may be able to disable only the specific rule causing the issue.

  1. Open Advanced Features → Web Application Firewall.
  2. Select Audit Log next to the affected domain or subdomain.
  3. Review the blocked request log.
  4. Locate the rule ID related to the blocked request.
  5. Add that rule ID to the disabled rules list.
  6. Save the change.
  7. Test the website action again.

This is safer than disabling the entire WAF.


Example Troubleshooting Process

If your contact form is blocked:

  1. Try submitting the form again.
  2. Note the exact time of the test.
  3. Open Web Application Firewall in DirectAdmin.
  4. Check the recent blocked requests.
  5. Look for a blocked request at the same time.
  6. Note the rule ID and request URL.
  7. Contact support with those details.

What to Send to Support

When contacting support about a WAF issue, please include:

  • The domain name
  • The page or URL where the issue happened
  • What you were trying to do
  • The approximate date and time
  • The error message shown in your browser
  • Your public IP address, if available
  • The WAF rule ID, if shown in DirectAdmin

Example Support Request

I was submitting the contact form on example.com/contact at about 2:15 PM. The page returned a 406 error. My IP address was x.x.x.x. DirectAdmin showed WAF rule ID 123456 being triggered.

Best Practices

  • Keep the WAF enabled whenever possible.
  • Disable only the specific rule that is causing a confirmed false positive.
  • Do not disable rules based on random advice from forums or plugin vendors without reviewing the blocked request.
  • Re-enable the WAF after temporary testing.
  • Keep your website software, themes, and plugins updated.
  • Contact support if you are unsure which rule to disable.
Note: The WAF is an added layer of protection, not a replacement for website maintenance, updates, secure passwords, or regular backups.

Important Note

Some WAF settings may be controlled globally by the hosting provider. If a setting is locked, unavailable, or you are unsure what to change, please contact support for assistance.


Was this answer helpful?

« Back