Hi could someone please tell me wear i find the logs for blocked I.Ps please. I have some customers getting blocked on there own site and need to know why.

usually these logs are modsec_audit.log and web-server error.log

I see in modsec_debug.log a lot of Access denied with code 403 and some customers get blocked when they click publish on there blogs,
how would i stop this from blocking them please.

you can just exclude the blocking rules.

Here you can find more detailed instructions:


Hi thanks for the replies how do i exclude some of the rules please.

Better dont use xss rules. All those rules are unreliable and for smooth functioning you should disable whole xss group.

Hi is that really best i have 96 of them active ?

Mostly XSS rules are responsible for these false positive. In your issue also its because of XSS.


You can exclude rules through CWAF plugin (‘Catalog’ tab, turn desired rules/groups off),
or through command line interface by running cwaf-cli.pl, located in scripts directory:

Usage: ./cwaf-cli.pl [arguments]

-h, --help         - this help message
-l, --domain_list  - show list of domains
-f, --force_domain - apply domain even if it not found

 Exclude rules:
  -d, --domain - set domain for exclude operation (global exclude list if not specified)
  -xa, --exclude_add [rule_ID1 rule_ID2...] - add rules to exclude list
  -xd, --exclude_del [rule_ID1 rule_ID2...] - remove rules from exclude list
  -xl, --exclude_list  - show list of excluded rules

If you use cPanel Vendor: Modsecurity Tools - Rules List - Search (ruleId) - Disable button.

Regards, Oleg

Ok thanks i will disable all 96 XSS rules on the plugin

Hi still get some customers who run forums getting this message below and i have disabled XSS rules

Several people have said they can get on the main page but can’t get
anywhere after that, they get a 403 or 404 error.

What did your logs said?

Hi do you mean the logs in modsec_debug.log

U need to look for path



Thanks downloading it now the file is 1.5Gb in size

There is no need to download. Something like “cat /usr/local/apache/logs/modsec_audit.log | grep username-of-account” can show you info. You can change command as per your need.

You can also use GUI provided in your WHM. Search for ModSecurity™ Tools and check inside

Hi so i just login via ssh and use cat /usr/local/apache/logs/modsec_audit.log | grep with any of the user names ?

You can use something like:

perl -ne ‘BEGIN { $/=“-Z–\n”; } print if /Forbidden/;’ /usr/local/apache/logs/modsec_audit.log

This will search for all forbidden error. Replace forbidden with IP address if you know client IP.