API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
Chosen image
Home/WAAP/WAAP policies/CMS protection

CMS protection

Content Management Systems (CMS) typically send information to your website, and this activity can appear malicious due to its automated nature.

Gcore’s Web Application and API Protection (WAAP) product can distinguish between traffic from your CMS administrators and potentially harmful requests. This ensures that administrative activities remain unblocked and your application stays protected.

The CMS protection policy group contains specific policies that detect when a user is logged into a supported CMS, and automatically adds the user's session to the allowlist. We also maintain a library of known malicious attacks, which allows us to block exploits that have attacked users in the past.

This policy group is available in the Pro and Enterprise plans.

Allow admin access to your domain

In some cases, administrative sections of a CMS-based website may be blocked. For example, for WordPress, WAAP may label a change made to the /wp-admin section of a CMS-based site as malicious behavior such as cross-site scripting or SQL injection.

As a result, WAAP will block admins from making any page edits. You can prevent this issue in two ways: enable the needed policies in the CMS protection policy group or allowlist your static IP address.

Configure policy group

You can review the policy group and enable or disable its policies in the Gcore Customer Portal:

1. Navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the domain where you want to configure the policy and click the domain name to open it.

3. On the Policies page that opens, click CMS protection to expand the section and adjust the policies.

WAAP policies page with the highlighted CMS protection policy

Most of the CMS protection policies allow traffic. Only the WordPress WAF ruleset policy will block the traffic to your website.

If you don’t see your CMS, you can allow admin access by adding your IP address to the allowlist. Contact our Support team for assistance.

Policy Description
WordPress WAF ruleset Block requests that are potentially a WordPress exploit.
Logged-in WordPress admins Allow requests from logged-in WordPress admins.
Logged-in MODX admins Allow requests from logged-in MODX admins.
Logged-in Drupal admins Allow requests from logged-in Drupal admins.
Logged-in Joomla admins Allow requests from logged-in Joomla admins.
Logged-in allowlist Magento admins Allow requests from logged-in Magento admins.
Requests from origin's IP Allow requests from the origin's IP address for updates.
Logged-in Umbraco admins Allow requests from logged-in Umbraco admins.
Logged-in PimCore admins Allow requests from logged-in PimCore admins.

If you enable a particular policy for your CMS, the admin CMS session will be allowlisted when that admin user logs into the site.

We recommend disabling policies for Content Management Systems that you don’t use.

Allowlist a static IP address

If you don’t see your CMS in the list of policies under the CMS policy group, you can allow admin access to your site as follows:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the needed domain and click its name to open it.

3. In the left-side navigation menu, click Firewall.

4. In the Allowed IPs section, click Add IP/IP Range.

Firewall page with the allow and block IP lists

5. Enter your public IP address so all traffic from your IP will be allowed and won’t be blocked by the WAAP for any type of request.

6. (Optional). Add a description.

7. Click Save to apply the changes.

Was this article helpful?