October 5, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
Allow Known BotsThe following bots and services were added to the Known Bots ruleset: Workato, GhostInspector, Freshping Monitoring, BinaryCanary, Adestra bot, Acquia Uptime, Spring Bot, parse.ly scraper, Landau Media Spider, Geckoboard, Audisto Bot, FeedWind, FeedPress, Feeder.co, Shareaholic Bot, Adjust Servers, Kyoto Tohoku Crawler.NAAllow
Behavioral WAFBrute-Force ProtectionThis policy has been improved to better detect login forms.CaptchaCaptcha

September 29, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAP & OWASP Top ThreatsXSS AttackThis policy has been updated to improve XSS protection against additional attack vectors.BlockBlock

September 22, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
IP ReputationExternal Reputation Block ListThis policy has been renamed to External Reputation Block List.HandshakeHandshake
Behavioral WAF (advanced threat protection)Spam ProtectionThis policy has been updated to improve the mitigation of spam clients and to improve the detection of spam bots.HandshakeHandshake or Captcha
Allow Known BotsSemrush BotThis policy has been updated to improve the detection of Semrush bots.AllowAllow
WAP & OWASP Top ThreatsProtocol AttackThis policy has been updated to Improve the detection of CLRF injection.BlockBlock
WAP & OWASP Top ThreatsSQL InjectionThis policy has been updated to improve the detection of SQL injection.BlockBlock
WAP & OWASP Top ThreatsPersonal Identifiable InformationThis policy has been updated to improve the detection of personal identifiable information leakage.BlockBlock

August 31, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
Traffic SourcesTraffic From Hosting ServicesThis policy has been updated with additional hosting services.JS ValidationJS Validation

August 24, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
CMS ProtectionWhitelist WordPress admin logged-in usersThis policy has been updated to improve false positive rates and to improve the user experience for logged-in admins.AllowAllow

August 10, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAP & OWASP Top ThreatsSQL InjectionThis policy has been updated to handle additional SQL injection cases.BlockBlock
WAP & OWASP Top ThreatsOpen RedirectThis policy has been updated to improve false negative rates.BlockBlock
Behavioral WAF (advanced threat protection)Block Probing and Forced BrowsingThis policy has been updated to detect additional vulnerability scanning tools.JS ValidationJS Validation
Anti-Automation & Bot ProtectionAnti ScrapingThis policy has been updated to improve the detection of highly sophisticated content scrapers.CaptchaCaptcha

August 3, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
CMS ProtectionWhitelist WordPress admin logged-in usersThis policy has been updated to improve false negative rates.AllowAllow
Behavioral WAF (advanced threat protection)Obfuscated Attacks and Zero-Day MitigationThis policy has been updated to perform "Block" actions.CaptchaBlock
Anti-Automation & Bot ProtectionForce Browser Validation on traffic anomaliesThis policy has been updated to mitigate additional cases of anomalies in cookies.CaptchaCaptcha

July 27, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
Behavioral WAF (advanced threat protection)Block Probing and Forced BrowsingThis policy has been updated to improve the detection of forced browsing on Ajax endpoints.CaptchaCaptcha
Anti-Automation & Bot ProtectionAnti-ScrapingThis policy has been updated to improve mitigation of Ajax scrapers, which pass captchas manually.CaptchaCaptcha
CMS ProtectionWhitelist WordPress admin logged-in usersThis policy has been updated to improve false positive rates.AllowAllow

July 13, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAP & OWASP Top ThreatsLocal File InclusionThis policy has been updated to reduce false positive rates on path traversal attacks. Additionally, this policy now blocks file uploads with PHP extensions.BlockBlock
CMS ProtectionWhitelist WordPress admin logged-in usersThis policy has been updated to improve WordPress admin detection.AllowAllow

July 6, 2021

RulesetPolicyDescription of UpdatePrevious ActionNew Action
WAP & OWASP Top ThreatsPersonal Identifiable InformationThis new policy mitigates personal identifiable information (PII) exposures.NABlock
WAP & OWASP Top ThreatsSensitive Data ExposureThis policy has been updated to block new .NET framework errors, such as "Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3770.0".BlockBlock
User AgentsBlock Invalid User AgentsThis policy has been updated to improve the accuracy of invalid user agent identification.BlockBlock
User AgentsBlock Unknown User AgentsThis policy has been updated to extend the list of known user agents.JS ValidationJS Validation
WAP & OWASP Top ThreatsShell InjectionThis policy has been updated to be enabled by default, which includes a block action. This new default behavior only affects newly created sites. For existing sites, StackPath recommends that this policy be enabled as well.BlockBlock
CMS ProtectionWhitelist WordPress admin logged-in usersThis policy has been updated to improve WordPress admin detection.AllowAllow