Some years ago, I got in the habit of disabling modSecurity on my MODX sites. It frequently caused issues saving content using WYSIWYG editors like tinyMCE, and MODX’s security is so good that I never felt the need for modSecurity.
What do people think? Is there a reason to run modSecurity with a MODX site? Have there been changes in MODX, modSecurity, and/or current hacking techniques that make the combination of MODX and modSecurity now both compatible and desirable?
Great question!
I’m very much the same in that I got into the habit of disabling modSecurity via .htaccess on every site I created.
As a user of shared hosting - the alternative was asking my [excellent] hosts to hunt down rule violations as they happened and add exceptions. This would need to happen for every site.
So yeah - I would always just disable it.
However, at some point recently, I forgot to disable it for a new site. Then another. And another. And the reason I kept forgetting is because, for me, MODX no longer seems to trigger modSecurity rules in the way it did previously.
Perhaps modSecurity has been updated to be more aware of MODX and the way it works. I honestly don’t know - but it no longer seems to be an issue for me.
