Updated Comodo WAF Rules (2025/2026) for CWP & WordPress - Community Feedback

Hi everyone,

Since the official Comodo free ruleset hasn't been updated in over two years, I decided to take action. I have manually created an updated ruleset (2025/2026) to handle modern threats, specifically focusing on the new wave of AI scrapers and aggressive bots that cause unnecessary CPU/RAM drain.

I’ve been testing these rules on several high-traffic WordPress environments, and so far, the results are great: zero false positives in the admin area and significantly lower server load.

You can check out the updated rules and the documentation on my GitHub here:
https://github.com/sminozzi/SBB-WAF-Rules
Please feel free to test them out—I’m very open to feedback and suggestions if you see anything that could be improved!

Please note that there is no automatic installer for these updates. You will need the technical skills to manually replace the necessary files in your ModSecurity directories. Since environments can vary, I cannot provide individual support for the installation process. I highly recommend performing a full backup of your current rules before making any changes.

If you have any feedback or suggestions on how to improve these rules, please let me know. I'm always looking for ways to refine the protection and would love to hear about your experience with them.

Best regards,
Bill

Hi Bill, thanks for your efforts -- any contribution is valuable. I for one will have to pass though -- I can't have my servers' security depend on one person's lone efforts no matter how noble the intent. I've been making the latest OWASP rulesets work (omitting a list of false positives) and it is generally stable. Wish Comodo wouldn't have lost their identity and their product direction, but had to cope and life goes on!

The OWASP CRS Ruleset is the best to use, and is free, and using their other half ModSecurity, it is easy to disable any rules needed.