Protect your web applications from common exploits and vulnerabilities, such as SQL injection, cross-site scripting (XSS), and malware uploads using Plesk's Web Application Firewall.
Understanding ModSecurity
The Plesk WAF is powered by ModSecurity. It acts as a shield between your website and the internet, inspecting all incoming traffic in real-time and blocking suspicious requests before they can even reach your PHP scripts.
How to Adjust WAF Settings
- Go to Websites & Domains and find your domain's card.
- Click on Web Application Firewall (ModSecurity).
- You can toggle the firewall mode:
- Off: Firewall is disabled (Not recommended).
- Detection only: Monitors and logs suspicious activity without blocking it (Good for debugging).
- On: Actively blocks malicious requests (Recommended for live sites).
False Positives: If your firewall is set to "On" and a legitimate action on your website (like saving a very large form in a CMS) is suddenly returning a Error 403 Forbidden, the WAF might be blocking it. You can check the WAF Logs to find the specific rule ID that blocked the action, and add that ID to the "Custom directives" exclusions!
