Today I give up on getting a perfect modsec config. There are just too many themes, plugins, external scripts and other oddball things clients do that triggers false positives. I've found myself stripping away more and more modsec rules to the point that it's feeling not worth it.
I am keeping modsec running on my main control panel server, as it should have more robust security than the hosting servers, and it doesn't seem to conflict with enhance in any way I've noticed yet.
I'm still keeping modsec "turned on" so that I can use its config file to add optimizations to Apache. I just set the rule engine rule at the very top to Off, and then deleted everything else in the file. Then add my Apache config in the rest of the file.
It's the same reason I couldn't use modsec in WHM/cpanel, it's just too many variables to get perfect so it doesn't affect users with false positives.
Lastly, during testing I noticed a remarkable improvement in pagespeed in wp-admin after disabling modsec. It went from a slight delay, to zero delay in loading pages in wp-admin. The performance hit + false positives = not worth it. I'm sticking to Wordfence for on-site security, good firewall at server level, and Cloudflare security at DNS level. This strategy has been proven sufficient for cPanel servers, so I will keep it going that way 🙂
