mod_security (http://www.modsecurity.org/) in a PITA. We do not recommend its use.
mod_security will scan requests in the most "stupidest way" and block them. (We made tests with the OWASP core basic rules and they logged tons of false positives with b2evolution…)
For example if you want to display a graphic including stats on "admin" vs "public" pages, mod_security might see "admin" inthe HTTP request and decide someone is trying to hack the admin account, so it will decide to block the request. mod_security has configuration files that are 10.000 + lines long. NO ONE gets them right. There are always compatibility problems with some web app / some new version.
Created by • Last edit by on Nov 26, 2015