We often have requests to configure the “best rules” for mod_security. Mod_security is a popular Apache plugin that serves as a Web Application Firewall, screening requests coming in to the webserver based on a set of configurable rules. Because every website and application has slightly different circumstances, which will require some fine-tuning of the rules, there is no "best" ruleset. However, I want to share the rules below, which are a good basic set to use on a web server to enhance security. You should copy the entire text of these rules (or whichever rules you would like to activate) into your*modsec2.user.conf*configuration file, or the configuration file your mod_security installation has setup for user-configurable rules. If you do not have mod_security installed, it's very easy to configure with ConfigServer's free ModSecurity plugin for cPanel. Try the rules below, for example: For the full ruleset, which is difficult to post due to its "explicit" content, and additional rules for securing against SQL injection attacks, check the updated mod_security rules in our knowledgebase. Of course, like I mentioned, every application has different web security needs. What do you think about mod_security's effectiveness and ease of use?