I have a handful of small websites on a shared host in the US. I have a dedicated IP for the small group and pay for extra cpu, ram, I/O, etc.

One of the sites has a couple of php pages allowing simple interaction with an mysql db and they recently had an issue where they would get random 403 errors when entering text. I tracked it down to modsec rules not allowing the word 'casino' (and a whole host of other words) to be used in text fields. Casino is a valid word for them to use so I need to find a solution.

Although the site is far from mission critical and the db holds nothing but basic information I still want it to be secure. The hosts have suggested we just turn it off for now as I cant even make updates to the PHP in the plugin (same 403 error which again suggests modsec issues according to the plugin support forum), but what are my options going forward ?

It's a Wordpress site with Wordfence doing all the usual stuff. I'll sign it up for basic Cloudflare shortly, but in terms of the PHP the pages are handled by a WordPress plugin called shortcode-exec-php and the db interaction is all in php files checking the user is logged in before running anything. There is basic checking of the data entered by the users before the forms are posted (make sure fields aren't empty and numbers are numbers, that sort of thing) and the code itself uses mysql_real_escape_string on the $_POST variables and $wpdb->blah statements.

My understanding is that should handle any attemped SQL-injection and XSS issues, but I'm happy to be told I'm wrong.

From what I've found this morning about Wordpress and modsec it seems like most people either spend the time to work out which rules break which files and exclude them, or they just turn it off.

I'm interested to hear thoughts as I know there are a number of us on here who do this sort of thing.

I've often thought I should remove the php from the plugin and create the pages properly, but you know how it goes, you start something because it's easier and just stick with it !