Whitelist rule with LocationMatch

Sometimes you need disable ModSecurity rules in specific url or program, because it causes false positives. This tutorial we show how you can whitelist rule or rules with apache LocationMatch directive.

LocationMatch examples

WordPress admin

<locationmatch "/wp-(admin|login)/">
 SecRuleRemoveById 150005
 SecRuleRemoveById 150006


<locationmatch "/phpmyadmin/">
    SecRuleRemoveById 150005
    SecRuleRemoveById 150006

Depend your server configuration, like cPanel or DirectAdmin, you need add these in specific files:

cPanel: /etc/apache2/conf.d/modsec/modsec2.user.conf
DirectAdmin: /etc/modsecurity.d/ folder

More Details in LocationMatch directive in Apache Server Documentation.

Remember restart apache after modifications.

Final words

if you are not interesting write own ModSecurity rules, you can use Malware.Expert – Web Hosting ModSecurity rules