API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
API
Chosen image
Home/WAAP

CMS protection

Content Management Systems (CMS) typically send information to your website, and this activity can appear malicious through its automated nature.

Gcore’s Web Application Firewall (WAF) can distinguish between traffic coming from your CMS administrators and potentially harmful requests. This ensures that administrative activities remain unblocked and your application stays protected.

The CMS protection policy group contains specific policies that detect when a user is logged in to a supported CMS, and it automatically adds the user's session to allowlist. We also keep a library of known malicious attacks, which allows us to block exploits that have attacked users in the past.

Allow admin access to your domain

In some cases, administrative sections of a CMS-based website may be blocked. For example, for WordPress, the WAF may label a change made to the /wp-admin section of a CMS-based site as malicious behavior like Cross-Site Scripting or SQL injection.

As a result, the WAF will block admins from making any page edits. You can prevent this issue in two ways: enable the needed rules in the CMS protection policy or allowlist your static IP address.

Configure policy group

You can review the policy group and enable or disable its policies in the Gcore Customer Portal:

1. Navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the domain where you want to configure the policy and click the domain name to open it.

3. In the sidebar menu, click WAAP.

4. On the Policies page that opens, click CMS protection to expand the section and adjust the policies.

WAF policies page with the highlighted CMS protection policy

Most of the CMS protection policies allow traffic. Only the WordPress WAF ruleset policy will block the traffic to your website.

If you don’t see your CMS, you can allow admin access by adding your IP address to the allowlist. Contact our Support team for assistance.

Policy Description
WordPress WAF ruleset Block requests that are potentially a WordPress exploit.
Logged-in WordPress admins Allow requests from logged-in WordPress admins.
Logged-in MODX admins Allow requests from logged-in MODX admins.
Logged-in Drupal admins Allow requests from logged-in Drupal admins.
Logged-in Joomla admins Allow requests from logged-in Joomla admins.
Logged-in allowlist Magento admins Allow requests from logged-in Magento admins.
Requests from origin's IP Allow requests from the origin's IP address for updates.
Logged-in Umbraco admins Allow requests from logged-in Umbraco admins.
Logged-in PimCore admins Allow requests from logged-in PimCore admins.

If you enable a particular policy for your CMS, the admin CMS session will be allowlisted when that admin user logs in to the site.

We recommend disabling policies for Content Management Systems that you don’t use.

Allowlist a static IP address

If you don’t see your CMS in the list of policies under the CMS policy group, you can allow admin access to your site as follows:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the needed domain and click its name to open it.

3. In the left-side navigation menu, click Firewall.

4. In the Allowed IPs section, click Add IP/IP Range.

Firewall page with the allow and block IP lists

5. Enter your public IP address so that all traffic from your IP will be allowed and won’t be blocked by the WAF for any type of request.

6. (Optional). Add a description.

7. Click Save to apply the changes.

Was this article helpful?