It is common for administrative portals of CMS based websites to experience issues when using a WAF for the first time. This article provides some tips on how to prevent these issues.
The main reason a WAF would block administrative portions of a website (like /wp-admin in WordPress) is that when the /wp-admin section of a site posts updates to specific pages, a WAF can detect this behavior up as a Cross Site Scripting or SQL injection. While blocking these type of legitimate vulnerabilities is usually a good thing, in this case, a WAF may block legitimate behavior.
Here's how to have the WAF enabled while preventing rightful content from being blocked.
Step 1: Whitelist your static IP address
Using WAF custom rules you're able to create an "Allow" rule for your IP address. This means that all traffic coming from this IP address will be whitelisted and will not be sanctioned by WAF for any type of request.
Step 2: Enable automatic logged-in admin users whitelist rule
WAF features a specific rule that detects when a user is logged-in to a supported CMS and automatically whitelists the user's session.
To enable this rule, navigate to WAF and click Policies. You'll find the "CMS Protection" category. Under this category, you'll find a list of the supported CMS's (if yours isn't there, let us know, and we can add it). Enable the CMS type you are using (e.g. "Whitelist WordPress admin logged-in users").
From this point on, every time an admin user logs into the site, their CMS session will be whitelisted. If you have any questions or would like to have your CMS added to the list, please either create a ticket or chat with a support here!