You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This command manages the <spanclass="notranslate">Imunify Security</span> WordPress plugin and its Web Application Firewall (WAF). It is available in both <spanclass="notranslate">Imunify360</span> (using <spanclass="notranslate">`imunify360-agent`</span>) and <spanclass="notranslate">ImunifyAV/AV+</span> (using <spanclass="notranslate">`imunify-antivirus`</span>).
Use <spanclass="notranslate">`waf set`</span> to enable or disable the WordPress WAF for hosting accounts in bulk. The plugin must be installed first (see <spanclass="notranslate">`security_plugin_enabled`</span> below); otherwise the command reports <spanclass="notranslate">_WordPress Security Plugin is disabled. Enable it before changing WAF settings._</span>
2715
+
2716
+
|||
2717
+
|-|-|
2718
+
|<spanclass="notranslate">`--status`</span>|<spanclass="notranslate">`enabled`</span> or <spanclass="notranslate">`disabled`</span>.|
2719
+
|<spanclass="notranslate">`--all-users`</span>|apply to all hosting accounts.|
2720
+
|<spanclass="notranslate">`--users`</span>|apply to a space-separated list of accounts. Use either <spanclass="notranslate">`--all-users`</span> or <spanclass="notranslate">`--users`</span>, not both.|
2721
+
2722
+
**Examples**
2723
+
2724
+
1. Enable the WAF for all hosting accounts:
2725
+
2726
+
<divclass="notranslate">
2727
+
2728
+
```
2729
+
imunify360-agent wordpress-plugin waf set --status enabled --all-users
2730
+
```
2731
+
2732
+
</div>
2733
+
2734
+
2. Disable the WAF for specific accounts:
2735
+
2736
+
<divclass="notranslate">
2737
+
2738
+
```
2739
+
imunify360-agent wordpress-plugin waf set --status disabled --users user1 user2
2740
+
```
2741
+
2742
+
</div>
2743
+
2744
+
The command reports how many accounts succeeded, were skipped (for example, when a name is not a hosting user), or failed.
2745
+
2746
+
To change the WAF for a single account, you can also update its configuration directly:
Use the <spanclass="notranslate">`rules`</span> subcommand to disable or re-enable a specific WAF rule — for example, one that interferes with legitimate traffic. The rule identifier is the one shown for the incident (typically a CVE ID).
2771
+
2772
+
|||
2773
+
|-|-|
2774
+
|<spanclass="notranslate">`disable`</span>|disable a rule, for all domains or for specific ones.|
2775
+
|<spanclass="notranslate">`enable`</span>|re-enable a previously disabled rule.|
2776
+
|<spanclass="notranslate">`list-disabled`</span>|list the currently disabled rules.|
2777
+
2778
+
|||
2779
+
|-|-|
2780
+
|<spanclass="notranslate">`--rule`</span>|the rule identifier (for example, <spanclass="notranslate">`CVE-2025-001`</span>).|
2781
+
|<spanclass="notranslate">`--domains`</span>|optional space-separated list of domains. If omitted, the rule is disabled or enabled for all domains.|
<td># enable (<spanclass="notranslate">True</span>) the Malware Database Scanner - a database antivirus with automated malware detection and clean-up of web applications. Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, that only WordPress, Joomla, and Magento databases are supported now.</td></tr>
<td># installs the <spanclass="notranslate">Imunify Security</span> WordPress plugin on all WordPress sites. This is the master switch for the WordPress plugin and its WordPress WAF. Default is <spanclass="notranslate">False</span>.</td></tr>
<td># enables the WordPress WAF (virtual patching) for WordPress sites on the server. When set to <spanclass="notranslate">False</span>, WAF rules are removed from all sites. Can also be set per hosting account. Default is <spanclass="notranslate">True</span>.</td></tr>
<td># whether the WordPress WAF is enabled automatically for newly created hosting accounts. Default is <spanclass="notranslate">False</span>.</td></tr>
Once the plugin is installed, the **WordPress WAF** provides virtual patching against known vulnerabilities in WordPress plugins, themes, and core. For what it protects against and how end users review incidents, see <span class="notranslate">[Web Application Firewall](/wordpress_plugin/#web-application-firewall-virtual-patching)</span>.
1593
+
1594
+
Tick the <span class="notranslate">_Enable WordPress WAF_</span> checkbox to turn the WAF on for WordPress sites on this server. When it is disabled, WAF rules are removed from all sites and the <span class="notranslate">_CMS WAF_</span> tab is hidden. This option can also be set per hosting account.
1595
+
1596
+
Tick the <span class="notranslate">_Enable WAF for new accounts by default_</span> checkbox to automatically enable the WAF for newly created hosting accounts.
1597
+
1598
+
<img src="/images/wordpress-plugin/waf-panel-settings.png" alt="WordPress plugin settings in the control panel: Install WordPress plugin, Enable WordPress WAF, and Enable WAF for new accounts by default" width="520">
1599
+
1600
+
:::tip Note
1601
+
The WAF is enabled by default for hosting accounts that already existed when it was first rolled out. Newly created accounts follow the <span class="notranslate">_Enable WAF for new accounts by default_</span> setting. A hosting-account owner may disable the WAF for their own account unless it is locked server-wide by the administrator.
0 commit comments