AegisWAF Master User Guide

AegisWAF User Guide

Version 1.8.17 • Updated February 09, 2026

About this guide

This document is a consolidated, product-grade user guide for AegisWAF (Aegisify Web Application Firewall). It is written for site owners and administrators who need clear, repeatable steps to protect a WordPress site against common web attacks, abusive bots, and high-volume traffic.

This guide is maintained as an active, continuously improved resource. As AegisWAF evolves, new capabilities, interface refinements, and optimization recommendations may be introduced. To ensure accuracy and reliability, instructions, definitions, and screenshots may be updated periodically. Always refer to the latest version of this guide for the most up-to-date information and recommended workflows.

Audience and scope

Who this is for

  • WordPress administrators protecting a public site
  • Agencies and developers hardening client sites
  • Operations teams who need security logs and incident narratives

What this guide covers

  • How AegisWAF evaluates requests (engine, managed rules, heuristics)
  • Configuring Custom Rules, Endpoint Policies, Bot Control, API Shield, and DDoS Shield
  • Using Logs, Attack Story, alerts, and visual charts for investigations
  • Practical hardening checklists and safe rollout guidance

Safety, limitations, and responsibilities

Important: A Web Application Firewall can block legitimate traffic if configured too aggressively. Roll out changes gradually, monitor logs, and keep an emergency “allow” path (temporary Allow rule, IP allowlist, or disable toggles) so you can recover access if you lock yourself out.
  • Least privilege: Only trusted admins should manage WAF settings. Changes can affect site availability.
  • Staged rollout: Start in Log mode (or logging-only defaults), then move to Block/Challenge/Rate Limit as confidence grows.
  • Not a silver bullet: A WAF reduces risk but does not replace patching WordPress/core/plugins/themes, secure hosting, and strong authentication.
  • Performance tradeoffs: Deeper inspection (headers/cookies/body) improves detection but can cost CPU. Use body size limits and targeted Endpoint Policies.

Core concepts

Request lifecycle

AegisWAF inspects inbound HTTP requests before WordPress fully executes. It normalizes inputs (method, path, headers, query/body), evaluates rules in layers, and then chooses an action.

  • Normalize → reduce evasions (encoding tricks, mixed case, separators).
  • Evaluate → Custom Rules, Managed Rules, Heuristics, and (optionally) Bot/API/DDoS modules.
  • Act → Log, Allow, Block, Challenge, or Rate Limit (availability depends on plan / enforcement mode).

Event logging and “Attack Story”

Every significant decision can be recorded as an event (engine, managed rule, heuristic, API Shield, Bot Control, DDoS, endpoint policy). Logs are searchable and can be summarized into an incident-style narrative for the last 24 hours.

  • Logs for detailed forensics (what matched, why it matched, what action happened).
  • Attack Story for quick situational awareness (counts, top routes, top rule types).
  • Charts for trend detection and prioritization.

Rules vs policies

Custom Rules are flexible match/action statements you define (paths, methods, tokens, regex). Endpoint Policies are per-path overrides that change how the engine inspects and responds for specific routes (for example, stricter thresholds on /wp-login.php and more permissive behavior on a payment webhook).

Challenges and rate limiting

When enabled, AegisWAF can “challenge” suspicious traffic (for example via a JS token flow) or slow it down (rate limits). These modes are best introduced after you have observed safe patterns in logs.

Quick start paths

Safe rollout (recommended)

  1. Install and activate AegisWAF.
  2. Open AegisWAF → Overview and confirm the plugin is running.
  3. Enable Managed Rules in Log mode (or accept the default logging-only behavior if enforced).
  4. Turn on inspection for headers/cookies first; enable body inspection only after confirming performance.
  5. Monitor Logs / Attack Story for a day; identify noisy routes and false positives.
  6. Apply Endpoint Policies to tighten sensitive endpoints (login, xmlrpc, admin-ajax) and relax known-safe APIs.
  7. Move selected protections to Block/Challenge/Rate Limit (one module at a time).

Incident response (when under attack)

  1. Go to Logs / Attack Story and open the last 24h story.
  2. Filter by route + IP; identify the highest-volume offenders and top detected rule types.
  3. Apply a short-term mitigation: block IPs, add a path-level policy, enable Bot Control challenge, or tighten DDoS limits.
  4. Confirm effect in charts and new log entries, then iterate.
Tip: If you lock yourself out, temporarily disable enforcement (set to Log), or add a temporary Allow rule for your IP and admin path.

Features

Install & Activate

Where: Plugins → Add New → Upload Plugin (then AegisWAF menu appears)

Installs AegisWAF into WordPress so it can inspect inbound requests and record security events. After activation, AegisWAF registers a top-level AegisWAF admin menu and loads its request inspection engine on every request.

Important: Before enabling aggressive blocking, confirm you have admin access recovery options (SSH/SFTP or a second admin account) and that your host can handle additional inspection overhead.

Configuration

  1. Upload the AegisWAF ZIP in WordPress.
  2. Activate the plugin.
  3. Open AegisWAF from the admin menu and review the default enforcement mode (start with logging-first).

Overview (Dashboard)

Where: AegisWAF → Overview

The Overview tab gives you an at-a-glance security posture: recent inspection activity, high-level event counts, and visual charts that summarize WAF, API, bot, and DDoS detections.

Key capabilities

  • Attack Story snapshot (last 24h) with quick counts and top routes/IPs
  • Visual Intelligence charts (multiple perspectives across modules)
  • Health signals (whether key modules are enabled and recording events)

Configuration

  1. Review the summary counts and confirm events are being recorded.
  2. If you are rolling out for the first time, keep actions in Log mode and watch for false positives.

Logs & Attack Story

Where: AegisWAF → Logs / Attack Story

This tab is your investigation workspace. It includes a searchable log viewer, retention controls, alert configuration, and an “Attack Story” view that summarizes the last 24 hours into a quick narrative and deep-dive reports.

Key capabilities

  • Log viewer filters (route contains, method, event category/type, action, IP) and date range selection
  • Retention controls (auto-delete older events) plus manual cleanup
  • Attack Story overview + deep dive reports + narrative-style incident explanation
  • Optional charts tied to module activity
Important: Keep enough retention to cover your troubleshooting window (at least 7–30 days for most sites). If you reduce retention aggressively, you may lose forensic evidence.

Alerts (Keyword-based notifications)

Where: AegisWAF → Logs / Attack Story → Alert Settings

Alerts let you notify specific recipients when log entries match keywords you care about (for example: “sql_injection”, “challenge”, “/wp-login.php”, or a known hostile ASN label). This is useful for early warning without constantly watching the dashboard.

Important: Avoid overly broad keywords that will spam your inbox. Start narrow, validate in logs, then expand.

Configuration

  1. Create an alert with a clear title.
  2. Enter one or more keyword strings that should trigger the alert.
  3. Add recipient emails and save.
  4. Use the “Alerts only” filter to review triggered entries.

WAF Settings (Managed Rules + Inspection Scope)

Where: AegisWAF → WAF Settings

WAF Settings control the core inspection layer. This includes managed signatures for common attacks, how deep the engine inspects a request (headers/cookies/body), and sensitivity/action modes.

Key capabilities

  • Enable/disable the managed rules engine
  • Choose inspection scope (headers, cookies, body) and cap max body bytes inspected
  • Select categories (SQLi, XSS, Path Traversal always available; additional categories may be plan-enforced)
  • Tune sensitivity (balanced vs strict) to control how aggressively patterns match
  • Select action mode (Log / Block / Challenge / Rate Limit) where available
Important: Turning on body inspection and strict sensitivity at the same time can increase false positives and CPU cost. Change one variable at a time.

Custom Rules Engine

Where: AegisWAF → WAF Settings (Custom Rules)

Custom Rules let you define your own match conditions (path patterns, methods, “contains all” token checks, and optional regex lines) and choose an action. This is ideal for protecting sensitive endpoints, blocking known-bad scanners, or allowing trusted integrations.

Key capabilities

  • Path matching supports wildcards (* and ?) for flexible coverage
  • Methods supported: ANY, GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
  • Actions include Log, Block, Allow (and other actions depending on enforcement mode)
  • “Contains (all)” matching: one token per line; all tokens must be present to match
  • Regex conditions: one regex per line (may be plan-enforced)
Important: Avoid creating broad Allow rules on sensitive paths; Allow should be narrow (specific IPs, strict tokens) to prevent bypassing protections.

Configuration

  1. Start with a logging rule to confirm your pattern matches the intended traffic.
  2. Review log entries to ensure you are not matching legitimate requests.
  3. Upgrade the action to Block/Challenge only after validation.

Heuristic Layer (Score-based detection)

Where: AegisWAF → WAF Settings (Heuristics)

The heuristic layer is a scoring system that detects suspicious requests that do not match a specific signature. It evaluates patterns such as unusual encoding, abnormal token lengths, and suspicious “meta” indicators, then compares a total score against thresholds.

Key capabilities

  • Score threshold tuning (overall sensitivity)
  • Encoding threshold and meta threshold tuning (evasion and suspicious markers)
  • Token length controls to detect payload anomalies
Important: Heuristics are powerful but can be noisy on sites with complex search or API payloads. Use Endpoint Policies to apply stricter heuristics only where needed.

Endpoint Policies (Per-path overrides)

Where: AegisWAF → WAF Settings (Endpoint Policies)

Endpoint Policies allow you to apply different inspection and actions per route. This is how you run strict settings on /wp-login.php while keeping a webhook endpoint permissive, or enforce a different action for a single path without changing global defaults.

Key capabilities

  • Per-path policy matching and applied logging
  • Override action and selected categories per endpoint
  • Override thresholds (heuristic tuning) per endpoint
Important: If a policy is too strict on a critical endpoint, you can break integrations. Always test webhooks and API clients after changes.

Configuration

  1. Identify sensitive endpoints (login, xmlrpc, admin-ajax, REST auth routes) and apply stricter actions.
  2. Identify business-critical endpoints (payment gateways, shipping webhooks) and apply targeted allowances if needed.
  3. Validate in logs, then refine.

API Shield

Where: AegisWAF → API Shield

API Shield focuses on protecting API-style traffic such as REST routes and webhook-like endpoints. It is designed to reduce abuse (automation, scraping, credential stuffing against API auth routes) while allowing legitimate integrations.

Key capabilities

  • API-aware inspection and logging (route and method visibility)
  • Optional enforcement modes (log/block/challenge/rate limit based on plan)
  • Works best when combined with Endpoint Policies for precise route targeting
Important: API endpoints are often used by apps and services. Start with logging to learn baseline behavior before enforcing blocks.

Bot Control

Where: AegisWAF → Bot Control

Bot Control helps detect and mitigate automated traffic: aggressive scrapers, brute-force tools, and abusive crawlers. It can apply allow/deny logic, challenges, and bot-focused policies while recording detailed events for investigation.

Key capabilities

  • Bot detection signals recorded to logs for attribution and tuning
  • Controls for challenges/tokens where available
  • Useful for protecting high-value endpoints and reducing resource exhaustion
Important: Overly strict bot controls can affect legitimate search engine crawlers or uptime monitors. Use allow rules for known-good agents/IPs and verify in logs.

DDoS Settings (Volume & rate protection)

Where: AegisWAF → DDoS Settings

DDoS Settings provide rate/volume protection to reduce the impact of high-frequency requests. This is especially useful during spikes caused by abusive bots, credential stuffing bursts, or simple layer-7 floods.

Key capabilities

  • DDoS engine that evaluates request rate patterns
  • Configurable actions and thresholds (plan/enforcement dependent)
  • Event logging so you can see what was throttled and why
Important: If thresholds are too low, you may throttle real users during traffic spikes. Base thresholds on observed normal peak traffic.

Visual Intelligence (Charts)

Where: AegisWAF → Overview (and Logs / Attack Story)

Visual Intelligence charts turn raw events into trends. Use charts to quickly answer: “What changed?”, “Which routes are being targeted?”, and “Is a mitigation working?”

Key capabilities

  • Charts across WAF, API Shield, Bot Control, DDoS, and Attack Story
  • Pairs well with log filters for drill-down
  • Great for post-incident review and tuning

Geo / ASN Intelligence and Filtering

Where: AegisWAF (varies by feature)

AegisWAF includes Geo/ASN support so you can reason about traffic sources. This is useful for identifying bot networks, hosting-provider ASNs, or region-based patterns that correlate with abuse.

Key capabilities

  • Geo/ASN provider support for enrichment
  • Use in investigations to attribute traffic and decide mitigations
  • Can be combined with allow/deny strategies and alerts
Important: Geo/ASN signals are probabilistic. Avoid blocking entire countries/ASNs without confirming impact on legitimate users.

License, Matrix and Settings

Where: AegisWAF → License, Matrix and Settings

This tab manages license activation and shows the feature matrix/enforcement behavior for your current plan. Some advanced enforcement modes (for example, regex conditions, certain managed-rule categories, challenge/rate-limit actions) may be gated by plan.

Configuration

  1. Enter your license key and activate.
  2. Review the matrix to understand which actions are enforced (Log-only vs Block/Challenge/Rate Limit).
  3. Revisit settings after activation to apply your desired enforcement mode.

Operational checklists

Rollout checklist (new install)

  1. Confirm you can still access wp-admin after activation.
  2. Keep global actions in Log mode initially.
  3. Enable managed rules and inspect headers/cookies first.
  4. Set retention to at least 7–30 days.
  5. Watch logs for false positives and noisy routes.
  6. Create endpoint policies for sensitive routes (login, xmlrpc, admin-ajax).
  7. Enable Bot Control and API Shield in logging-first mode.
  8. After baseline is understood, enable enforcement (Block/Challenge/Rate Limit) one module at a time.

Incident checklist (under active attack)

  1. Open Attack Story (last 24h) and identify top routes and IPs.
  2. Apply the smallest effective control (block a specific IP, tighten one endpoint policy, challenge bots).
  3. Re-check charts and logs to confirm the attack volume drops.
  4. Increase protection only if needed (broader policies, stricter thresholds).
  5. Document what changed (what you enabled and why) so you can revert safely later.

Troubleshooting

Common issues and fixes

  • I got locked out of wp-admin. Temporarily set enforcement to Log (or disable the strict module), or add a narrow Allow rule for your IP and the admin path. If you cannot access the UI, disable the plugin via FTP by renaming the plugin folder.
  • Legitimate form submissions are blocked. Find the relevant log entries by filtering the route and method, then adjust thresholds or create an Endpoint Policy for that path. Start by switching that path to Log while you tune.
  • Webhook / API integrations fail. Check API Shield and Endpoint Policy logs for the webhook route. Create a targeted allowlist rule (specific path + shared secret token) or relax inspection scope for that endpoint.
  • High CPU usage. Reduce inspection depth (disable body inspection globally), lower max body bytes, and focus deep inspection only on sensitive endpoints using Endpoint Policies.
  • Logs are empty. Confirm the plugin is activated and you are viewing the correct date range. Generate a test request and refresh. Ensure retention is not set to 0.