Support

They don't have to disable mod_security2 in its entirety. The can just disable this particular rule which is a bit too broad. I suspect this rule causes similar problems to other sites.

As a matter of security policy I prefer mod_security2 to be enabled. If it's not enabled it doesn't mean that your site will be automatically hacked, but it's a bit easier. So maybe contact your host and ask them to disable the offending rule instead of mod_security2 as a whole?

Your host is right that the rules are server wide. What I'm saying is that this rule is bound to cause problems. If they don't want to change the rule you have the following options:

1. Live with it. You have Admin Tools installed. As long as you don't use any extensions or scripts which require direct web access, bypassing Joomla!, you're mostly fine.

2. Upgrade to a VPS. A VPS is a virtual private server so it is possible to change which mod_security2 rules will be applied on the entire VPS.

3. Go to another host. However, unless you go for a VPS it is more than likely that you'll have the exact same problem.

Out of the three possibilities I think that the second one, going for a VPS, is the best.

> I don't _think_ I have any of those. Plus I have several static sites. So this means that I do need or that I do NOT need mod_security enabled?

Practically, you have no use for it with static sites. It really makes sense for dynamic sites. Since your dynamic sites are all Joomla! and don't use directly accessible .php scripts you can live without it.

Bottom line: I wouldn't lose sleep over it. However, if you can find out which page on your site triggers this rule and how to avoid triggering it then re-enabling mod_security2 is a good idea. mod_security2 is yet another speedbump to slow down attackers. You can never have too much security, right?

> I understand. So I am surprised that they keep it, doesn't it affect other shared accounts?

Apparently the policy is "if it causes problems disable mod_security2 altogether for the account". It's a simple policy which doesn't require the host techs to understand how mod_security2 rules work (it is REALLY DAMN HARD!) and the security impact is not enough to lose sleep over. Plus, it makes dead simple updating the rules from one of the published rulesets, e.g. OWASP or Atomic, without requiring a very expensive technician going over them manually. It does make sense. Very few hosts have the scale required for a custom rules policy to be sustainable.

Your host should be able to tell you which URL triggered the mod_security2 rule. You can then take a look at your menus to figure out which component it comes from.

As for the tmpl= warnings, please read the documentation. You most likely have to enable the "Allow site templates" option if you're using Joomla!'s Send by Email buttons on your site. Why and how is documented.