mod_security (http://www.modsecurity.org/) is a PITA. We do not recommend its use. However, you may have this module forced on your by your webhost. Please tell us who your webhost is so we can make a list.
mod_security will scan requests in the most "stupid way" and block them if it "thinks" it might be a hacker trying to do somethign shady. (We made tests with the OWASP core basic rules and they logged tons of false positives with b2evolution…)
For example, if you want to display a graphic including stats on "admin" vs "public" pages,
mod_security might see "admin" in the HTTP request and decide someone is trying to hack the admin account, so it will decide to block the request.
mod_security has configuration files that are 10 000 + lines long. NO ONE gets them right. There are always compatibility problems with some web app / some new version.
If you cannot disable
mod_security, ask your host to fix the rules.
Created by • Last edit by on Apr 13, 2019