UPDATE: I found the cause. I had to remove this line from the rule: SecTmpSaveUploadedFiles On Hello, this is the ModSecurity rule i found and be claimed to scan web server file uploads by Malware Detect software: SecRequestBodyAccess On SecTmpSaveUploadedFiles On SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:99587,msg:'Malware found by LinuxMalwareDetect.'" Code (markup): When i upload image (certainly clean image of an nature scenery), ModSecurity stop the request: Request:POST /wp-admin/async-upload.php Action Description: Access denied with code 406 (phase 2). Justification: File "/tmp/20190111-110811-XDh5G5teQx0AAHSqbjYAAAAA-file-lw445E" rejected by the approver script "/usr/local/maldetect/modsec. Code (markup): But when i DISABLE above mentioned ModSecurity rule, deploy changes, restart Apache, the upload WORKS. Then i go to command line and check if Maldet really consider the file malware: # /usr/local/maldetect/modsec.sh /home/acctnamehere/www/wp-content/uploads/2019/01/foto2.jpg maldet(3065): {scan} setting maximum execution time for 'find' file list: 14400sec 1 maldet: OK I check file permissions, here i am unsure if are correct: # ls -lha /usr/local/maldetect/modsec.sh lrwxrwxrwx 1 root root 11 Sep 1 23:56 /usr/local/maldetect/modsec.sh -> hookscan.sh* In /usr/local/maldetect/conf.maldet is: # Allows non-root users to perform scans. This must be enabled when # using mod_security2 upload scanning or if you want to allow users # to perform scans. When enabled, this will populate 'pub/' with user # owned quarantine, session and temporary paths to facilitate scans. # [ 0 = disabled, 1 = enabled, disabled by default ] scan_user_access="1 Code (markup): So the ModSecurity rule is wrong? Can you please suggest how to fix the rule?