<b>WAF Rule-Tuning SOP</b>

<b>WAF Rule-Tuning SOP</b>
Do this after deploying any web application firewall.

— Step 1: Start in log/detection mode for 7 days. Never go straight to block on a live store.
— Step 2: Enable the OWASP Core Rule Set at paranoia level 1, then raise it only if false positives stay low.
— Step 3: Review the anomaly-score log. Tune individual rule exclusions, don't disable whole categories.
— Step 4: Add virtual patches for known plugin CVEs you can't update immediately.
— Step 5: Rate-limit <code>/wp-admin</code>, <code>/wp-login.php</code>, and the REST API <code>/users</code> endpoint specifically.
— Step 6: Switch to blocking mode, then re-run a baseline scan to confirm legit traffic still passes.

Run this every time.