Content Management Systems (CMS) typically send information to your website, and this activity can appear malicious due to its automated nature.
CDB's Web Application and API Protection (WAAP) product can distinguish between traffic from your CMS administrators and potentially harmful requests. This ensures that administrative activities remain unblocked and your application stays protected.
The CMS protection policy group contains specific policies that detect when a user is logged into a supported CMS, and automatically adds the user's session to the allowlist. We also maintain a library of known malicious attacks, which allows us to block exploits that have attacked users in the past.
ℹ️
Info
This policy group is available in the Pro and Enterprise plans. More details on the Security pricing page.
Allow admin access to your domain
In some cases, administrative sections of a CMS-based website may be blocked. For example, for WordPress, WAAP may label a change made to the /wp-admin section of a CMS-based site as malicious behavior such as cross-site scripting or SQL injection.
You can review the CMS Protection rules and enable or disable them in the CDB Technical Web Portal:
1. Navigate to WAAP > Default Rules.
2. In the domain dropdown at the top of the page, select the needed domain.
3. Click the CMS Protection tab to view and adjust the rules.
ℹ️
Info
Most CMS protection policies allow authenticated admin sessions. Only the WordPress WAF ruleset policy actively blocks requests.
If you don't see your CMS, you can allow admin access by adding your IP address to the allowlist. Contact our Support team for assistance.
Policy
Description
WordPress WAF ruleset
Block requests that are potentially a WordPress exploit.
Logged-in WordPress admins
Allow requests from logged-in WordPress admins.
Logged-in MODX admins
Allow requests from logged-in MODX admins.
Logged-in Drupal admins
Allow requests from logged-in Drupal admins.
Logged-in Joomla admins
Allow requests from logged-in Joomla admins.
Logged-in allowlist Magento admins
Allow requests from logged-in Magento admins.
Logged-in Umbraco admins
Allow requests from logged-in Umbraco admins.
Logged-in PimCore admins
Allow requests from logged-in PimCore admins.
If you enable a particular policy for your CMS, the admin CMS session will be allowlisted when that admin user logs into the site.
ℹ️
Tip
We recommend disabling policies for Content Management Systems that you don't use.
Allowlist a static IP address
If you don't see your CMS in the list of policies under the CMS policy group, you can allow admin access to your site as follows:
1. In the CDB Technical Web Portal, navigate to WAAP > Firewall.
2. In the domain dropdown at the top of the page, select the needed domain.
3. In the Allowed IPs tab, click Add IP/IP range.
4. Enter your public IP address so all traffic from your IP will be allowed and won't be blocked by the WAAP for any type of request.
5. (Optional) Add a description.
6. Click Save to apply the changes.
The Policies endpoints manage CMS Protection rules ? preventing WAAP from blocking legitimate CMS admin activity. A firewall allowlist rule can also be created for an admin's static IP address. Response examples include only the fields used in each step.
ℹ️
An API token is required, along with the ID of a WAAP-protected domain and the Python or Go SDK installed for SDK examples. CMS Protection policies require a Pro or Enterprise WAAP plan. IP allowlist rules are available on all plans.
Retrieve the current mode of all CMS Protection policies for a domain.
import gcore
import os
client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])
rule_sets = client.waap.domains.list_rule_sets(domain_id)
cms = next(
rs for rs in rule_sets if rs.resource_slug == "cms-protection"
)
for policy in cms.rules:
status = "enabled" if policy.mode else "disabled"
print(f"{policy.name}: {status} ({policy.id})")
package main
import (
"context"
"fmt"
"os"
"strconv"
gcore "github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/option"
)
func main() {
client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)
ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
for _, rs := range *ruleSets {
if rs.ResourceSlug == "cms-protection" {
for _, policy := range rs.Rules {
status := "disabled"
if policy.Mode {
status = "enabled"
}
fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
}
}
}
}
The response includes each policy in the group with its ID and current state. mode: true means enabled; mode: false means disabled.
Toggle a policy
Switch a policy between enabled and disabled. Each call flips the current mode. Use the policy ID returned by the View policy states request.
⚠️
This endpoint toggles the current state rather than setting a specific value. If the target state is unknown, check the current policy state first using the View policy states request.
import gcore
import os
client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])
# Find the policy ID by name
rule_sets = client.waap.domains.list_rule_sets(domain_id)
cms = next(
rs for rs in rule_sets if rs.resource_slug == "cms-protection"
)
policy = next(r for r in cms.rules if r.name == "Logged-in WordPress admins")
result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
status = "enabled" if result.mode else "disabled"
print(f"Logged-in WordPress admins is now {status}")
package main
import (
"context"
"fmt"
"os"
"strconv"
gcore "github.com/G-Core/gcore-go"
"github.com/G-Core/gcore-go/option"
"github.com/G-Core/gcore-go/waap"
)
func main() {
client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)
// Find the policy ID by name
ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
var policyID string
for _, rs := range *ruleSets {
if rs.ResourceSlug == "cms-protection" {
for _, p := range rs.Rules {
if p.Name == "Logged-in WordPress admins" {
policyID = p.ID
}
}
}
}
result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), policyID, waap.DomainPolicyToggleParams{DomainID: domainID})
status := "disabled"
if result.Mode {
status = "enabled"
}
fmt.Printf("Logged-in WordPress admins is now %s\n", status)
}
# Set POLICY_ID to the policy ID from the Policy reference or View policy states response
export POLICY_ID="{POLICY_ID}"
curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
-H "Authorization: APIKey ${GCORE_API_KEY}"
Response:
{"mode": true}
The API returns the updated policy object. mode: true confirms the policy is now enabled; mode: false confirms disabled.
Allowlist an IP address
Create a firewall rule that allows all traffic from a specific IP address, bypassing WAF inspection. Use this approach when the CMS admin's IP address is static and their CMS is not in the policy list above.