WAAP policies
CMS protection
Content Management Systems (CMS) typically send information to your website, and this activity can appear malicious due to its automated nature.
Gcore’s Web Application and API Protection (WAAP) product can distinguish between traffic from your CMS administrators and potentially harmful requests. This ensures that administrative activities remain unblocked and your application stays protected.
The CMS protection policy group contains specific policies that detect when a user is logged into a supported CMS, and automatically adds the user’s session to the allowlist. We also maintain a library of known malicious attacks, which allows us to block exploits that have attacked users in the past.
2. Find the domain where you want to configure the policy and click the domain name to open it.
3. On the Policies page that opens, click CMS protection to expand the section and adjust the policies.
If you don’t see your CMS, you can allow admin access by adding your IP address to the allowlist. Contact our Support team for assistance.
If you enable a particular policy for your CMS, the admin CMS session will be allowlisted when that admin user logs into the site.
2. Find the needed domain and click its name to open it.
3. In the left-side navigation menu, click Firewall.
4. In the Allowed IPs section, click Add IP/IP Range.
5. Enter your public IP address so all traffic from your IP will be allowed and won’t be blocked by the WAAP for any type of request.
6. (Optional). Add a description.
7. Click Save to apply the changes.
InfoThis policy group is available in the Pro and Enterprise plans.
Allow admin access to your domain
In some cases, administrative sections of a CMS-based website may be blocked. For example, for WordPress, WAAP may label a change made to the/wp-admin section of a CMS-based site as malicious behavior such as cross-site scripting or SQL injection.
As a result, WAAP will block admins from making any page edits. You can prevent this issue in two ways: enable the needed policies in the CMS protection policy group or allowlist your static IP address.
Configure policy group
You can review the policy group and enable or disable its policies in the Gcore Customer Portal: 1. Navigate to WAAP > Domains.InfoMost of the CMS protection policies allow traffic. Only the WordPress WAF ruleset policy will block the traffic to your website.
| Policy | Description |
|---|---|
| WordPress WAF ruleset | Block requests that are potentially a WordPress exploit. |
| Logged-in WordPress admins | Allow requests from logged-in WordPress admins. |
| Logged-in MODX admins | Allow requests from logged-in MODX admins. |
| Logged-in Drupal admins | Allow requests from logged-in Drupal admins. |
| Logged-in Joomla admins | Allow requests from logged-in Joomla admins. |
| Logged-in allowlist Magento admins | Allow requests from logged-in Magento admins. |
| Requests from origin’s IP | Allow requests from the origin’s IP address for updates. |
| Logged-in Umbraco admins | Allow requests from logged-in Umbraco admins. |
| Logged-in PimCore admins | Allow requests from logged-in PimCore admins. |
TipWe recommend disabling policies for Content Management Systems that you don’t use.
Allowlist a static IP address
If you don’t see your CMS in the list of policies under the CMS policy group, you can allow admin access to your site as follows: 1. In the Gcore Customer Portal, navigate to WAAP > Domains.