ModSecurity is a popular web application firewall often used on Apache web server environments. In certain scenarios, ModSecurity will interfere with and disrupt the WP Migrate DB Pro migration process. This happens because some ModSecurity configurations will flag WP Migrate DB Pro’s API requests as a potential threat to the security of the system and will throw a 403 Forbidden or 500 Internal Server error. You may also receive an ambiguous 404 Not Found error if your server has not been set up to correctly serve 500 Internal Server errors.

If this happens, there are a few things you could try to work around this issue.

Disable ModSecurity

This is the fastest and most effective fix for this issue but not very ideal. It is extremely effective in determining whether or not this is a ModSecurity issue or not. If you determine that ModSecurity is causing the migration to fail, you could have your host send you the ModSecurity logs. Sending these logs to us will help us determine the exact rule that is triggering this issue. With this information, we may be able to help troubleshoot the problem on your environment. Alternatively, you may be able to work with your host to have them change their ModSecurity rules to allow the migration to function correctly.

.htaccess Rule Override

To determine if ModSecurity is the issue, it may be possible to disable ModSecurity using an .htaccess rule. You can try placing the following in your root directory’s .htaccess file. This will disable ModSecurity for admin-ajax.php, the file we leverage to make connections between two installations, and the WP Migrate DB REST API endpoints we use to transfer data during migrations.

<IfModule mod_security.c>
    <Files "admin-ajax.php">
        SecFilterEngine Off
        SecFilterScanPOST Off
    <Location “/mdb-api/”>
        SecFilterEngine Off
        SecFilterScanPOST Off

If this does not work, it might be possible that your host has disabled .htaccess overrides or your version of ModSecurity is not compatible with this particular override. You may then need to contact your web host to ask them to disable it.

Add WP Migrate DB Pro API Routes to ModSecurity Allow List

If it turns out ModSecurity is the issue, you might be able to add the WP Migrate DB API namespace to a ModSecurity allow list. We suggest contacting your web host and asking them to allow any to any endpoints under the following URL (where is the domain for your website):