How do I enable Extra Web Security for my website?

mod_security is a Web Application Firewall (WAF) that filters and blocks known malicious HTTP requests. Blocked HTTP requests include many, but not all forms of Brute Force, Cross-Site Scripting (XSS), Remote File Inclusion (RFI) , Remote Execution, and SQL injection (SQLi) attacks.

DreamHost enables mod_security for free by default. You can enable/disable this feature using the 'Extra Web Security' option in the panel.

Where to enable this feature?

There are two sections in the panel this can be added:

  • On the 'Manage Domains' page
  • When editing SSL settings

Enabling mod_security on the 'Manage Domains' page

  1. Navigate to the (Panel > ‘Domains’ > ‘Manage Domains’) page.
  2. To the right of your domain, click the Edit button.
    The ‘Manage Domains’ page appears:
    Mod security enable.fw.png
    • Under the ‘Web Options’ section, the checkbox titled ‘Extra Web Security?’ is enabled by default.
  3. If you wish to disable mod_security, un-check this box and save the change(s).

The Extra Web Security option enables the use of a special security module for your website. Many common attacks that can compromise your website are blocked by this option, but there are no guarantees that all attacks will be prevented. With Extra Web Security enabled, DreamHost proactively ensures that the most commonly known attacks are prevented.

Enabling mod_security when editing SSL settings

If you have an SSL certificate on your domain, there is another section of the panel you can enable 'Extra Web Security'. 

  1. Navigate to the (Panel > ‘Domains’ > ‘Manage Domains’) page.
  2. To the right of your domain, click the 'https On' link. This is under the column titled 'Security'.
  3. On this page is a checkbox titled 'Copy non-secure settings?'. In most cases you want this checked. If for some reason you wish to not mirror insecure settings, make sure to also check 'Extra Web Security' in this section.
  4. Click Edit https now! when finished editing your settings.

mod_security related log entries

DreamHost uses the HTTP response code 418. If you see 418 response codes in your access.log files, it means that the request was blocked by mod_security. However, this may not mean a specific visitor was blocked, but rather a request to your website. You need to read your log entries to determine what caused the 418 error.

Further details related to the block are often in the corresponding date stamped error.log entry. If you are having trouble deciphering why you are getting a 418 error in your log files, please don’t hesitate to contact support at (DreamHost Panel > 'Support' > 'Contact Support').

DreamHost mod_security rules

While a majority of DreamHost’s mod_security rule set is custom created as threats emerge, the base of DreamHost’s mod_security rule set comes from the OWASP mod_security Core Rules Set.

An important note about modifying .htaccess mod_security rules

Disabling and modifying of mod_security rules via .htaccess is not supported at this time.

See also

Internal links

External links

Did this article answer your questions?

Article last updated .