mod-security-users

[mod-security-users] Where is the best place for the ModSecurity?

[Jason L. <hac...@ya...>]

Hello,Where is the best place for the ModSecurity to protect a WordPress website? Is it true that a WAF like ModSecurity must be installed between the web server and the Internet and not on the host itself?
Tnx.

Re: [mod-security-users] Where is the best place for the ModSecurity?

[Reindl H. <h.r...@th...>]

Am 24.02.21 um 11:58 schrieb Jason Long via mod-security-users:
> Hello,
> Where is the best place for the ModSecurity to protect a WordPress 
> website? Is it true that a WAF like ModSecurity must be installed 
> between the web server and the Internet and not on the host itself?

no it is not and given that you can adjust rules based on <Directory> in 
your httpd configuration it makes a lot of sense have it on the host itself

and "must" don't exist at all - nobody can force you to setup a proxy 
nor pretend an additional proxy makes things more secure by it's existence

the opposite is true: in doubt you are now vulerable for bugs of the 
proxy as well as the backend server - having more layers and complexity 
in the mix can make sense but it's not more secure out of the blue

Re: [mod-security-users] Where is the best place for the ModSecurity?

[Brent C. <bre...@gm...>]

The host itself, is fine.

HTH

Regards
Brent

On 2021/02/24 12:58, Jason Long via mod-security-users wrote:
> Hello,
> Where is the best place for the ModSecurity to protect a WordPress 
> website? Is it true that a WAF like ModSecurity must be installed 
> between the web server and the Internet and not on the host itself?
>
> Tnx.
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/