~3 min read • Updated Feb 20, 2026
1. What Is ModSecurity 3?
ModSecurity 3 is a powerful open-source Web Application Firewall (WAF) designed to protect servers against common web attacks such as SQL Injection, XSS, RCE, and more.
Key differences from ModSecurity 2:
- ModSecurity 3 is no longer an Apache module — it is a standalone library.
- It requires a connector (Apache or NGINX) to function.
- Supports OWASP Core Rule Set (CRS).
- It is experimental and requires the Experimental Repository.
Compatibility:
- Works with both Apache and NGINX.
- Available in cPanel & WHM version 112 and above.
2. Installing ModSecurity 3
Method 1 – Install via WHM (Recommended)
Navigate to:
WHM → Home → Software → EasyApache 4Under Customize, choose:
- Apache Modules or NGINX Modules
Install the following packages:
- ea-modsec30-connector-nginx — for NGINX
- ea-modsec30-connector-apache24 — for Apache
- ea-modsec30-rules-owasp-crs — OWASP CRS ruleset
Click Provision.
Method 2 – Install via Command Line
# NGINX
yum install ea-modsec30-connector-nginx
# Apache
yum install ea-modsec30-connector-apache24
# OWASP CRS (required for both)
yum install ea-modsec30-rules-owasp-crs
3. ModSecurity 3 Configuration Files
If Using NGINX
| Path | Description |
|---|---|
| /etc/nginx/conf.d/modsec30.conf | Default config + includes for cPanel and user configs |
| /etc/nginx/conf.d/modsec/modsec30.cpanel.conf | Rules and settings defined via WHM/cPanel |
| /etc/nginx/conf.d/modsec/modsec30.user.conf | User-level manual overrides (edit with caution) |
| /etc/nginx/conf.d/modsec_vendor_configs/ | Vendor (third‑party) rule sets |
| /var/log/nginx/modsec30_audit/ | ModSecurity audit logs (Concurrent Logging) |
If Using Apache
| Path | Description |
|---|---|
| /etc/apache24/conf.d/modsec30.conf | Default config + includes |
| /etc/apache2/conf.d/modsec2.cpanel.conf | cPanel-generated rules (name kept for compatibility) |
| /etc/apache2/conf.d/modsec/modsec2.user.conf | User-level manual overrides |
| /etc/apache2/logs/modsec_audit/ | Audit logs (Concurrent or Serial depending on MPM) |
Warning: Only edit user.conf files if absolutely necessary — incorrect rules may break websites.
4. Key Differences Between ModSecurity 2 and ModSecurity 3
| Feature | ModSecurity 2 | ModSecurity 3 (NGINX) | Notes |
|---|---|---|---|
| SecDataDir | Supported | Not supported | — |
| SecConnEngine | Supported | Not supported | — |
| SecDisableBackendCompression | Supported | Not supported | — |
| SecGsbLookupDb | Supported | Not supported | — |
| SecGuardianLog | Supported | Not supported | — |
| Response Code | Usually 403 | Sometimes 406 | NGINX behavior differs |
5. NGINX Standalone (Legacy Experimental Feature)
NGINX Standalone replaces Apache as the primary web server. Apache is moved to ports 81 (HTTP) and 444 (HTTPS). Static content is served directly by NGINX, while dynamic content (PHP, etc.) is proxied to Apache.
Requirements
- EasyApache 4
- Experimental Repository:
yum install ea4-experimental - PHP-FPM enabled
ea-ruby27-mod_passengerfor Passenger apps
Install
yum --enablerepo=EA4-experimental install ea-nginx-standalone
Uninstall
yum erase ea-nginx-standalone
Important Changes After Installation
- Apache ports: 81 (HTTP) and 444 (SSL)
- Main NGINX config:
/etc/nginx/conf.d/ea-nginx.conf - Logs:
/var/log/nginx/domains/domain.comanddomain.com-ssl_log - Dynamic content proxied to Apache
Limitations
- WordPress Pretty Permalinks do not work without custom NGINX rules.
.htaccessis not supported — must be rewritten in NGINX syntax.- WordPress Multisite is not supported.
Conclusion
ModSecurity 3 provides a modern, flexible WAF solution for both Apache and NGINX in cPanel & WHM, but it remains experimental and requires careful configuration. NGINX Standalone offers performance benefits but comes with significant limitations. Understanding these components helps administrators deploy secure and optimized hosting environments.
Written & researched by Dr. Shahin Siami