Content Management Systems (CMS) typically send information to your website, and this activity can appear malicious due to its automated nature. Gcore’s Web Application and API Protection (WAAP) product can distinguish between traffic from your CMS administrators and potentially harmful requests. This ensures that administrative activities remain unblocked and your application stays protected. The CMS protection policy group contains specific policies that detect when a user is logged into a supported CMS, and automatically adds the user’s session to the allowlist. We also maintain a library of known malicious attacks, which allows us to block exploits that have attacked users in the past.
InfoThis policy group is available in the Pro and Enterprise plans.

Allow admin access to your domain

In some cases, administrative sections of a CMS-based website may be blocked. For example, for WordPress, WAAP may label a change made to the /wp-admin section of a CMS-based site as malicious behavior such as cross-site scripting or SQL injection. As a result, WAAP will block admins from making any page edits. You can prevent this issue in two ways: enable the needed policies in the CMS protection policy group or allowlist your static IP address.

Configure policy group

You can review the policy group and enable or disable its policies in the Gcore Customer Portal: 1. Navigate to WAAP > Domains.
Domains page in the Customer Portal
2. Find the domain where you want to configure the policy and click the domain name to open it. 3. On the Policies page that opens, click CMS protection to expand the section and adjust the policies.
WAAP policies page with the highlighted CMS protection policy
InfoMost of the CMS protection policies allow traffic. Only the WordPress WAF ruleset policy will block the traffic to your website.
If you don’t see your CMS, you can allow admin access by adding your IP address to the allowlist. Contact our Support team for assistance.
PolicyDescription
WordPress WAF rulesetBlock requests that are potentially a WordPress exploit.
Logged-in WordPress adminsAllow requests from logged-in WordPress admins.
Logged-in MODX adminsAllow requests from logged-in MODX admins.
Logged-in Drupal adminsAllow requests from logged-in Drupal admins.
Logged-in Joomla adminsAllow requests from logged-in Joomla admins.
Logged-in allowlist Magento adminsAllow requests from logged-in Magento admins.
Requests from origin’s IPAllow requests from the origin’s IP address for updates.
Logged-in Umbraco adminsAllow requests from logged-in Umbraco admins.
Logged-in PimCore adminsAllow requests from logged-in PimCore admins.
If you enable a particular policy for your CMS, the admin CMS session will be allowlisted when that admin user logs into the site.
TipWe recommend disabling policies for Content Management Systems that you don’t use.

Allowlist a static IP address

If you don’t see your CMS in the list of policies under the CMS policy group, you can allow admin access to your site as follows: 1. In the Gcore Customer Portal, navigate to WAAP > Domains.
Domains page in the Customer Portal
2. Find the needed domain and click its name to open it. 3. In the left-side navigation menu, click Firewall. 4. In the Allowed IPs section, click Add IP/IP Range.
Firewall page with the allow and block IP lists
5. Enter your public IP address so all traffic from your IP will be allowed and won’t be blocked by the WAAP for any type of request. 6. (Optional). Add a description. 7. Click Save to apply the changes.