diff --git a/README.md b/README.md
index 7cfdc63efccb39dd76c70cb8d896e78d36214abf..612705ba2b5a43b05d16fb783d36f99a31ee8553 100644
--- a/README.md
+++ b/README.md
@@ -17,15 +17,22 @@ wp-config.php.
 ## Disable a ModSecurity rule
 
 For this and other customizations, just edit the contents of
-conf/modsecurity/local.conf and add whatever directives are
-necessary.
+conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf and
+add whatever directives are necessary.
+
+If you just want to disable a specific rule ID (for example 123456),
+something like the following will do:
+
+```
+SecRuleRemoveById 123456
+```
 
 ## Whitelist a URL in ModSecurity
 
-The syntax to whitelist a URL (i.e. disable the ModSecurity engine
-on a path-based criteria) is not trivial to come up with: if you want
-to whitelist /some/url.php, you'll have to modify conf/modsecurity/local.cf
-and add a directive like the following:
+The syntax to whitelist a URL (i.e. disable the ModSecurity engine on
+a path-based criteria) is not trivial to come up with: if you want to
+whitelist /some/url.php, you'll have to modify
+conf/modsecurity/local.cf and add a directive like the following:
 
 ```
 SecRule REQUEST_URI "@beginsWith /some/url.php" "id:1,ctl:ruleEngine=Off"
diff --git a/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf b/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
new file mode 100644
index 0000000000000000000000000000000000000000..9b7839b9cddd62e15c4eb2fd50756cac18eb3daa
--- /dev/null
+++ b/conf/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
@@ -0,0 +1,25 @@
+# Disable mod_security rules in this file.
+
+SecRuleRemoveById 960015
+
+# Oracle error messages.
+SecRuleRemoveById 951120
+
+# Wordpress generates badly encoded mime/multipart uploads
+# for its own file upload functionality...
+# Drop the REQBODY_ERROR and MULTIPART_UNMATCHED_BOUNDARY rules.
+SecRuleRemoveById 200002 200004
+
+# Matches an Apache directory listing.
+SecRuleRemoveById 950130
+
+# XSS rules that have too many false positives.
+SecRuleRemoveById 941160
+SecRuleRemoveById 941180
+SecRuleRemoveByID 953120
+
+# ModSec Rule Exclusion: 920273 : Invalid character in request (outside of very strict set)
+# ModSec Rule Exclusion: 942432 : Restricted SQL Character Anomaly Detection (args): 
+# number of special characters exceeded (2) (severity:  NONE/UNKOWN)
+SecRuleRemoveById 920273
+SecRuleRemoveById 942432
diff --git a/conf/modsecurity/local.conf b/conf/modsecurity/local.conf
index 9d2f93ac6cbe2492f7be59a8a4dc32c233e22dbf..dd97c0407cdfff271f76cff3af9152dddac5bf57 100644
--- a/conf/modsecurity/local.conf
+++ b/conf/modsecurity/local.conf
@@ -10,16 +10,6 @@ SecRule REQUEST_URI "@beginsWith /wp-admin/admin.php" "id:4,ctl:ruleEngine=Off"
 # default, but something overrides it?)
 SecRequestBodyLimit 131072000
 
-SecRuleRemoveById 960015
-
-# Oracle error messages.
-SecRuleRemoveById 951120
-
-# Wordpress generates badly encoded mime/multipart uploads
-# for its own file upload functionality...
-# Drop the REQBODY_ERROR and MULTIPART_UNMATCHED_BOUNDARY rules.
-SecRuleRemoveById 200002 200004
-
 # Do not log the actual HTTP transactions.
 SecAuditEngine Off
 SecAuditLog /dev/null