Skip to content

Commit 29db1b9

Browse files
authored
Merge pull request #197 from martinkrcho/docs/wp-waf-virtual-patching
Document WordPress WAF (virtual patching)
2 parents 3fc72d2 + ff52343 commit 29db1b9

11 files changed

Lines changed: 271 additions & 2 deletions

File tree

84.5 KB
Loading
237 KB
Loading
338 KB
Loading
108 KB
Loading
91.3 KB
Loading
87.2 KB
Loading
108 KB
Loading

docs/command_line_interface/README.md

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2695,3 +2695,130 @@ imunify360-agent whitelisted-crawlers [command]
26952695

26962696
</div>
26972697

2698+
## WordPress plugin
2699+
2700+
This command manages the <span class="notranslate">Imunify Security</span> WordPress plugin and its Web Application Firewall (WAF). It is available in both <span class="notranslate">Imunify360</span> (using <span class="notranslate">`imunify360-agent`</span>) and <span class="notranslate">ImunifyAV/AV+</span> (using <span class="notranslate">`imunify-antivirus`</span>).
2701+
2702+
**Usage:**
2703+
2704+
<div class="notranslate">
2705+
2706+
```
2707+
imunify360-agent wordpress-plugin [command] [subcommand] [--option] <value>
2708+
```
2709+
2710+
</div>
2711+
2712+
### Enable or disable the WAF for accounts
2713+
2714+
Use <span class="notranslate">`waf set`</span> to enable or disable the WordPress WAF for hosting accounts in bulk. The plugin must be installed first (see <span class="notranslate">`security_plugin_enabled`</span> below); otherwise the command reports <span class="notranslate">_WordPress Security Plugin is disabled. Enable it before changing WAF settings._</span>
2715+
2716+
| | |
2717+
|-|-|
2718+
|<span class="notranslate">`--status`</span>|<span class="notranslate">`enabled`</span> or <span class="notranslate">`disabled`</span>.|
2719+
|<span class="notranslate">`--all-users`</span>|apply to all hosting accounts.|
2720+
|<span class="notranslate">`--users`</span>|apply to a space-separated list of accounts. Use either <span class="notranslate">`--all-users`</span> or <span class="notranslate">`--users`</span>, not both.|
2721+
2722+
**Examples**
2723+
2724+
1. Enable the WAF for all hosting accounts:
2725+
2726+
<div class="notranslate">
2727+
2728+
```
2729+
imunify360-agent wordpress-plugin waf set --status enabled --all-users
2730+
```
2731+
2732+
</div>
2733+
2734+
2. Disable the WAF for specific accounts:
2735+
2736+
<div class="notranslate">
2737+
2738+
```
2739+
imunify360-agent wordpress-plugin waf set --status disabled --users user1 user2
2740+
```
2741+
2742+
</div>
2743+
2744+
The command reports how many accounts succeeded, were skipped (for example, when a name is not a hosting user), or failed.
2745+
2746+
To change the WAF for a single account, you can also update its configuration directly:
2747+
2748+
<div class="notranslate">
2749+
2750+
```
2751+
imunify360-agent config update --user user1 '{"WORDPRESS":{"waf_enabled": false}}'
2752+
```
2753+
2754+
</div>
2755+
2756+
Server-wide options — installing the plugin, the server-wide WAF switch, and the default for new accounts — are set without a user:
2757+
2758+
<div class="notranslate">
2759+
2760+
```
2761+
imunify360-agent config update '{"WORDPRESS":{"security_plugin_enabled": true}}'
2762+
imunify360-agent config update '{"WORDPRESS":{"waf_enabled": true}}'
2763+
imunify360-agent config update '{"WORDPRESS":{"waf_default": true}}'
2764+
```
2765+
2766+
</div>
2767+
2768+
### Manage individual WAF rules
2769+
2770+
Use the <span class="notranslate">`rules`</span> subcommand to disable or re-enable a specific WAF rule — for example, one that interferes with legitimate traffic. The rule identifier is the one shown for the incident (typically a CVE ID).
2771+
2772+
| | |
2773+
|-|-|
2774+
|<span class="notranslate">`disable`</span>|disable a rule, for all domains or for specific ones.|
2775+
|<span class="notranslate">`enable`</span>|re-enable a previously disabled rule.|
2776+
|<span class="notranslate">`list-disabled`</span>|list the currently disabled rules.|
2777+
2778+
| | |
2779+
|-|-|
2780+
|<span class="notranslate">`--rule`</span>|the rule identifier (for example, <span class="notranslate">`CVE-2025-001`</span>).|
2781+
|<span class="notranslate">`--domains`</span>|optional space-separated list of domains. If omitted, the rule is disabled or enabled for all domains.|
2782+
2783+
**Examples**
2784+
2785+
1. Disable a rule for all domains:
2786+
2787+
<div class="notranslate">
2788+
2789+
```
2790+
imunify360-agent wordpress-plugin rules disable --rule CVE-2025-001
2791+
```
2792+
2793+
</div>
2794+
2795+
2. Disable a rule for specific domains only:
2796+
2797+
<div class="notranslate">
2798+
2799+
```
2800+
imunify360-agent wordpress-plugin rules disable --rule CVE-2025-001 --domains example.com blog.example.com
2801+
```
2802+
2803+
</div>
2804+
2805+
3. Re-enable a rule:
2806+
2807+
<div class="notranslate">
2808+
2809+
```
2810+
imunify360-agent wordpress-plugin rules enable --rule CVE-2025-001
2811+
```
2812+
2813+
</div>
2814+
2815+
4. List disabled rules:
2816+
2817+
<div class="notranslate">
2818+
2819+
```
2820+
imunify360-agent wordpress-plugin rules list-disabled
2821+
```
2822+
2823+
</div>
2824+

docs/config_file_description/README.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -420,6 +420,13 @@ If a non-eligible interval is configured, the agent will ignore it and keep the
420420
<tr><th colspan="2" align="left"><span class="notranslate">MALWARE_DATABASE_SCAN:</span></th></tr>
421421
<tr><td><span class="notranslate">enable: True</span></td>
422422
<td># enable (<span class="notranslate">True</span>) the Malware Database Scanner - a database antivirus with automated malware detection and clean-up of web applications. Requires MariaDB/MySQL DB management system version 5.5. Recommended version is 5.6+. Note, that only WordPress, Joomla, and Magento databases are supported now.</td></tr>
423+
<tr><th colspan="2" align="left"><span class="notranslate">WORDPRESS:</span></th></tr>
424+
<tr><td><span class="notranslate">security_plugin_enabled: False</span></td>
425+
<td># installs the <span class="notranslate">Imunify Security</span> WordPress plugin on all WordPress sites. This is the master switch for the WordPress plugin and its WordPress WAF. Default is <span class="notranslate">False</span>.</td></tr>
426+
<tr><td><span class="notranslate">waf_enabled: True</span></td>
427+
<td># enables the WordPress WAF (virtual patching) for WordPress sites on the server. When set to <span class="notranslate">False</span>, WAF rules are removed from all sites. Can also be set per hosting account. Default is <span class="notranslate">True</span>.</td></tr>
428+
<tr><td><span class="notranslate">waf_default: False</span></td>
429+
<td># whether the WordPress WAF is enabled automatically for newly created hosting accounts. Default is <span class="notranslate">False</span>.</td></tr>
423430
</tbody>
424431
</table>
425432

docs/dashboard/README.md

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1580,8 +1580,6 @@ The WordPress plugin installation is currently allowed only if _Settings > Malwa
15801580
15811581
Tick the <span class="notranslate">_Install WordPress plugin_</span> checkbox to install the Imunify Security WP plugin on all WordPress sites.
15821582
1583-
![](/images/wordpress-plugin/panel-settings.png)
1584-
15851583
You can also enable it via CLI with the following command:
15861584
15871585
<div class="notranslate">
@@ -1591,6 +1589,30 @@ imunify360-agent config update '{"WORDPRESS":{"security_plugin_enabled": true}}'
15911589
```
15921590
</div>
15931591
1592+
Once the plugin is installed, the **WordPress WAF** provides virtual patching against known vulnerabilities in WordPress plugins, themes, and core. For what it protects against and how end users review incidents, see <span class="notranslate">[Web Application Firewall](/wordpress_plugin/#web-application-firewall-virtual-patching)</span>.
1593+
1594+
Tick the <span class="notranslate">_Enable WordPress WAF_</span> checkbox to turn the WAF on for WordPress sites on this server. When it is disabled, WAF rules are removed from all sites and the <span class="notranslate">_CMS WAF_</span> tab is hidden. This option can also be set per hosting account.
1595+
1596+
Tick the <span class="notranslate">_Enable WAF for new accounts by default_</span> checkbox to automatically enable the WAF for newly created hosting accounts.
1597+
1598+
<img src="/images/wordpress-plugin/waf-panel-settings.png" alt="WordPress plugin settings in the control panel: Install WordPress plugin, Enable WordPress WAF, and Enable WAF for new accounts by default" width="520">
1599+
1600+
:::tip Note
1601+
The WAF is enabled by default for hosting accounts that already existed when it was first rolled out. Newly created accounts follow the <span class="notranslate">_Enable WAF for new accounts by default_</span> setting. A hosting-account owner may disable the WAF for their own account unless it is locked server-wide by the administrator.
1602+
:::
1603+
1604+
You can also control the WAF via CLI:
1605+
1606+
<div class="notranslate">
1607+
1608+
```
1609+
imunify360-agent config update '{"WORDPRESS":{"waf_enabled": true}}'
1610+
imunify360-agent config update '{"WORDPRESS":{"waf_default": true}}'
1611+
```
1612+
</div>
1613+
1614+
For per-account and bulk control, see <span class="notranslate">[WordPress plugin CLI commands](/command_line_interface/#wordpress-plugin)</span>.
1615+
15941616
#### Error Reporting
15951617
 
15961618
Tick <span class="notranslate">_Enable Sentry error reporting_</span> checkbox to send reports to the Imunify360 error reports server.

0 commit comments

Comments
 (0)