WordPress ModSecurity Rule Set (WPRS) Problem

I wanted to add this to my Litespeed server after enabling the ModSecurity I went to /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master I downloaded

clone GitHub - Rev3rseSecurity/wordpress-modsecurity-ruleset: ModSecurity Rule Set for WordPress (WPRS)

I have now



so i went to


I added:

include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/wordpress-modsecurity-ruleset/01-SETUP.conf
include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/wordpress-modsecurity-ruleset/02-INITIALIZATION.conf
include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/wordpress-modsecurity-ruleset/03-BRUTEFORCE.conf
include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/wordpress-modsecurity-ruleset/04-EVENTS.conf
include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/wordpress-modsecurity-ruleset/05-HARDENING.conf
include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/wordpress-modsecurity-ruleset/99-TEST.conf
I Rebooted the system after seting up the configs for owasp-modsecurity
and i could see the config files in


So I went to my wordpress with vpn and i tried doing things like logging more than 3 times, visting certain web pages but it seems no banned, no nothing it’s like no security rules at ALL.

Please help me installing

GitHub - Rev3rseSecurity/wordpress-modsecurity-ruleset: ModSecurity Rule Set for WordPress (WPRS)

Thank you

The ruleset you mentioned above is 4 years old and I would not recommend having this on top of the latest OWASP core ruleset.

There are many better ways to secure your wordpress installation.

Make use of Perfmatters Wordpress Plugin
Quic Cloud Anti DDOS feature
Block XML-RPC using QUIC cloud
and all others mentioned over here can be achieved using QUIC cloud and cloudflare combined.
You can also use Sucuri Wordpress Plugin to get alerts if someone tries to login to your wordpress dashboard and more such features.

Do you know that both Sucuri paid + Quic cloud paid will cost me over the 220$ per year ?
that’s why I’m looking for something that also won’t drain my server like ithemes or quic cloud or any WordPress plugin and it would be in the server, coz mine is a woocommerce store and you know if it’s slow or has problem i’d lose all of my clients i already have cloudflare but i want to secure the server with some rules and the rules that came with cyberpanel it’s not blocking or protecting my woocommerce store
OWASP core ruleset for example there is no ban if there are more than 3 attemp to login and it faild, etc…
Thank you

The sucuri plugin I referred is available free at wordpress.org and QUIC.cloud is completely free (even the CDN is offered free for all openlitespeed and litespeed users for minimum 10Gb per month per website). They also provide completely free Unlimited CDN with 6 pop locations.

So, I dont know from where you got this pricing of 220$ per year figure.

Secondly, its not as easy as you configured the wordpress OWASP just by cloning the git. It has lot of manual configuration too to attain the objective. And it is 4 years old ruleset, a lot has changed in Wordpress security and using old ruleset will do more harm than without it.

1 Like

220$ = sucuri paid version and Perfmatters Wordpress Plugin paid version together.
i know it’s not easy that’s why when I searched for something to make my server strong i found OWASP if you have any alternative for server-side security I would appreciate it.
Does QUIC.cloud + cloudflare not conflic if both have CDN enabled ?

Sucuri paid version i would not recommend as its not worth it. I am not talking about sucuri WAF firewall bro, its just a simple plugin to block many important factors at wordpress like it auto reset the wordpress login sessions, sends mail as soon as someone attempt to login to dashboard using whatever usernames, blocks php file edit, blocks bruteforce login attempts, identifies any changes to default wordpress core files, and lot such useful features.
The sucuri plugin I suggested is entirely different than what you might have thought about sucuri paid platform (both are different).

Perfmatters is a quality plugin and I would suggest to get it if you can afford. Its like 25$ a year.

QUIC and cloudflare both works hand in hand. Quic has Dynamic Full page cache which others dont offer. Make use of dynamic cache from quic and set cloudflare for static cache.

Thank you for your advice i will use them
last question should i go with sucuri plugin ot itheme security or ninja firewall security ?
Thank you

Sucuri as its not actually a security plugin as similar as ithemes, wordfence, ninja etc which consumes a lot of server resources. This particular sucuri plugin is lightweight and doesnt slow down anything on your wordpress site.

I have been using wordpress since more than 11 years and it wasnt even hacked ever. I do get many attempts email notification though, but never it succeeded to get into my sites. I do all these basic security which is more than enough for anyone.

Perfmatters I suggested because it helps in disabling many unwanted files in wordpress which slows down the site + it also offers customized login path instead of the default wp-login/ wp-admin which normally is on target.


Thank you so much for your help
God bless you

This topic was automatically closed 3 hours after the last reply. New replies are no longer allowed.