We are looking to bypass WAF & caching for an admin page (domain.com/admin) on a CloudFlare protected website, by way of Page Rule. Before we proceed with this, I wanted to ask - by removing WAF & caching, does that in effect also disable DDoS protection? I would assume every hit on domain.com/admin would be allowed (due to WAF being disabled) and every request would initiate a pull request from the Origin (due to it not being cached). Therefore does that mean the Origin is at risk of being DDoS’d and going down? Or are there other levels of protection still afforded even when these two features are bypassed for a particular page?
We are also looking into restricting access to the page via IP address, but this may not be ready by the time we need to configure the bypass so I am keen to understand what other protections we may have in the meantime.
More context: The website has a Silverstripe CMS backend / PHP, CloudFlare is licensed with Business and WAF is configured with most of the default rule sets. All working well on the publically accessible pages but when we perform certain functions in the admin panel (such as updating page content) the WAF triggers due to XSS & SQL injection errors. We have asked the website developers to investigate but they cannot pinpoint what is causing these errors. They have tried removing different kinds of content (such as metadata tags) from the requests being made but it hasn’t helped.