Whitelisting Multiple IPs with ModSecurity

ModSecurity (our web application firewall) occasionally blocks legitimate requests, producing 403 or 500 errors. When this happens for a known trusted IP or range, you can whitelist those IPs so ModSecurity skips rule evaluation for their requests. This guide covers the different ways to whitelist IPs with ModSecurity on cPanel/Apache servers.

01. Identifying the Blocked Rule

Find the ModSecurity rule ID that's triggering:

# Search Apache error logs for ModSecurity entries
grep "ModSecurity" /var/log/apache2/error_log | tail -20

# Or search a specific account's error log
grep "ModSecurity" /home/username/logs/error.log | tail -10

The log entry contains the rule ID (e.g., [id "942100"]), the matched data, and the URI that triggered it. Note the rule ID - you'll need it for targeted exceptions.

02. Whitelisting by IP Address

To whitelist one or more IPs from all ModSecurity rules, add a configuration to the ModSecurity custom rules file:

# Edit the custom rules file
vi /etc/apache2/conf.d/modsec/modsec2.user.conf

# Whitelist a single IP
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "id:1000001,phase:1,allow,nolog,ctl:ruleEngine=Off"

# Whitelist multiple IPs
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100,10.0.0.50,203.0.113.25" "id:1000002,phase:1,allow,nolog,ctl:ruleEngine=Off"

# Whitelist a CIDR range
SecRule REMOTE_ADDR "@ipMatch 192.168.1.0/24" "id:1000003,phase:1,allow,nolog,ctl:ruleEngine=Off"

After adding rules, restart Apache:

systemctl restart httpd

03. Disabling Specific Rules

The better approach is to disable only the specific rule that's causing the false positive, rather than whitelisting the IP from everything:

# Disable a rule for a specific IP
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "id:1000004,phase:1,nolog,ctl:ruleRemoveById=942100"

# Disable a rule for a specific URI path
SecRule REQUEST_URI "@beginsWith /wp-admin/admin-ajax.php" "id:1000005,phase:1,nolog,ctl:ruleRemoveById=942100"

# Disable a rule for a specific request cookie (e.g., idev affiliate cookie)
SecRuleUpdateTargetById 942100 "!REQUEST_COOKIES:idev"

The SecRuleUpdateTargetById approach is the most surgical - it removes a specific data source from a specific rule without disabling the entire rule.

04. Per-Domain Whitelist

To apply a whitelist only to a specific domain (useful on shared servers):

# Create a per-domain include
mkdir -p /etc/apache2/conf.d/userdata/std/2_4/username/domain.com/
vi /etc/apache2/conf.d/userdata/std/2_4/username/domain.com/modsec.conf

# Content:
<IfModule mod_security2.c>
SecRuleRemoveById 942100
SecRuleRemoveById 941100
</IfModule>

# Rebuild Apache config and restart
/usr/local/cpanel/scripts/rebuildhttpdconf
systemctl restart httpd

05. WHM ModSecurity Interface

WHM provides a graphical interface for managing ModSecurity rules:

1. WHM > Security Center > ModSecurity Tools - View recent hits and rule triggers
2. Rules List - Search for and disable specific rules by ID
3. Hits List - See recent blocks with full request details, source IPs, and rule IDs

The WHM interface is useful for reviewing what's being blocked, but for complex whitelisting (per-IP, per-domain, conditional), the configuration file approach is more flexible.

Quick Recap: ModSecurity IP Whitelisting

1. Find the rule ID - Check the Apache error log for the ModSecurity entry
2. Prefer targeted exceptions - Disable the specific rule rather than all rules for the IP
3. Use unique IDs - Every custom SecRule needs a unique ID (1000000+ range)
4. Per-domain configs - Use userdata includes for domain-specific exceptions
5. Restart Apache - Always restart after modifying ModSecurity configuration

Last updated March 2026 · Browse all Server Maintenance articles