Configuring WAF Managed Ruleset for WordPress

Hi community,

I am new here and just purchased the Pro plan to be able to utilize WAF to protect my WordPress site. The ticket is too slow to get a response. So I decide to post my questions here to see if anyone can help.

So, basically, there are two Managed Rulesets in WAF, Cloudflare Managed Ruleset and Cloudflare OWASP Core Ruleset.

Cloudflare Managed Ruleset works just fine, after activating it, my WordPress acts as normal.

However, after activating Cloudflare OWASP Core Ruleset, some of my WordPress features were broken.
To this end, my WordPress can no longer update a post, it states:

Error 1020 Access denied. What happened? This website is using a security service to protect itself from online attacks.

And I checked the console, the rule that prevents me from updating post is:

949110: Inbound Anomaly Score Exceeded, OWASP Score 58

And it is because of the following violations:
920272: Invalid character in request (outside of printable chars below ASCII 127)
Cloudflare OWASP Core Ruleset Score (+5)
920273: Invalid character in request (outside of very strict set)
Cloudflare OWASP Core Ruleset Score (+5)
920274: Invalid character in request headers (outside of very strict set)
Cloudflare OWASP Core Ruleset Score (+5)
932200: RCE Bypass Technique
Cloudflare OWASP Core Ruleset Score (+5)
941320: Possible XSS Attack Detected - HTML Tag Handler
Cloudflare OWASP Core Ruleset Score (+5)
941340: IE XSS Filters - Attack Detected
Cloudflare OWASP Core Ruleset Score (+5)
942260: Detects basic SQL authentication bypass attempts 2/3
Cloudflare OWASP Core Ruleset Score (+5)
942430: Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
Cloudflare OWASP Core Ruleset Score (+3)
942490: Detects classic SQL injection probings 3/3
Cloudflare OWASP Core Ruleset Score (+5)
942420: Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)
Cloudflare OWASP Core Ruleset Score (+3)
942431: Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)
Cloudflare OWASP Core Ruleset Score (+3)
942460: Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters
Cloudflare OWASP Core Ruleset Score (+3)
942421: Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)
Cloudflare OWASP Core Ruleset Score (+3)
942432: Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
Cloudflare OWASP Core Ruleset Score (+3)

I certainly cannot disable them all.

In addition to the Cloudflare OWASP Core Ruleset, I am also wondering if there is any ruleset in Cloudflare Managed Ruleset that can prevent any WordPress featureā€¦

So, my question is: how can I configure WAP to make it compatible with WordPress?

In other words, which rules should I disable/enable to make the WAP compatible with a WordPress site?

Any help would be helpful.

Thanks.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.