You are viewing the legacy StackPath SecureCDN Help Center. Please use if you signed up after July 1, 2018 or log in through

StackPath Support

Using the StackPath WAF with your CMS: Recommended steps

Updating your website with a CMS usually means posting scripts and HTML content to the web server. If you have WAF turned on, this type of content may trigger certain WAF rules that can block the request from reaching the web server, and by doing so prevent the admin CMS user from updating the site. 

Blocking XSS or SQLi content is the desired behaviour of the WAF, but obviously this is not the case.

Here's how to have the WAF enabled while preventing rightful content from being blocked.

Step 1: Whitelist your static IP address

Using WAF custom rules you're able to create an "Allow" rule for your IP address. This means that all traffic coming from this IP address will be whitelisted and will not be sanctioned by WAF for any type of request. 

Note that using a static IP address is recommended, as a regular IP address will probably change over time. 


Step 2: Enable automatic logged-in admin users whitelist rule

WAF features a specific rule that detects when a user is logged-in to a supported CMS, and automatically whitelists the user's session. 

To enable this rule, navigate to WAF and click Policies.You'll find the "CMS Protection" category. Under this category, you'll find a list of the supported CMS's (if yours isn't there, let us know, and we can add it). Enable the CMS type you are using (e.g. "Whitelist WordPress admin logged-in users").


From this point on, every time an admin user logs into the site, their CMS session will be whitelisted. If you have any questions or would like to have your CMS added to the list, please either create a ticket or chat with a support here!

Return to top