Error "412 Precondition Failed" (mod_security2)


Mod_security2 is an Apache2 module which blocks requests to the web server based on a list of server-side rules. Rules include blocks against common server attacks, as well as filtering requests to vulnerable software. This additional security feature is activated by default on our servers in order to provide maximum protection from hacker attacks for the websites of our customers. However, it is possible certain legitimate requests/scripts to match a rule and be blocked. When this happens, the error message returned by the server is 412 Request Blocked (Precondition failed). You are able to disable certain blocking rules, or completely disable mod_security2, by using an .htaccess file.

Disabling mod_security2

Disabling the mod_security2 module would decrease the security of your website considerably, so we would recommend against doing that. Instead, please contact our Support team in order to find out which mod_security2 rule blocks the execution of your script. These rules can be disabled individually. You can also disable mod_security2 only in the directory in which the script that causes the error is located.

To disable mod_security2, you can create an .htaccess file in the directory where you want to disable it. The file should contain the following code:
<IfModule security2_module>
SecRuleEngine Off
SecRequestBodyAccess Off
The .htaccess file can be easily created using the File Manager page of the hosting Control Panel. The settings in this file apply to the directory in which it is located and recursively to its subdirectories.

Disabling a specific rule

A frequently occurring issue caused by a mod_security2 rule is the one that blocks requests to xmlrpc.php files. This rule is in place to prevent the execution of outdated and vulnerable xmlrpc.php files. To allow access to xmlrpc.php, you can create an .htaccess file with the following code in it:
<IfModule security2_module>
SecRuleRemoveById 114

By default, a number of abusive bots are blocked from visiting customer sites, with specific mod_security2 rules. These are the currently blocked bots, as well as their mod_security2 IDs:

"Havij" id:350
"^BOT/0.1" id:354
"^Mozilla\/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1;?( SV1)?;?\)$" id:373
"^Mozilla\/3\.0 \(compatible; Indy Library\)$" id:392
"sqlmap" id:398
"DatabaseDriverMysql" "id:401"
"BUbiNG" id:406
"MauiBot" id:407
"MJ12bot" id:408
"BLEXBot" id:409
"DotBot" id:410
"SemrushBot" id:411
"MegaIndex" id:412

If you need to allow any of the above bots to access your site, you can disable the specific mod_security2 rule with an .htaccess file in the main folder of your website. Just use the SecRuleRemoveById directive as in the example above, and replace the ID with the ID of the specific rule.