Not necessarily all vulnerabilities will be covered by a common WAF rule set, as it is designed to prevent vulnerabilities effectively while reducing unnecessary false positives.
- Some sort of synthetic test
The Imunify team works hard to write straight-to-the-point rules to fight against real attacks so that decrease the FPs. We strongly think that a logic that relies on massiveness more and more shows flaws that give attackers the possibility to continue their malicious activity.
More broadly speaking our product is designed to protect web servers against global threats (i.e. massive attacks, vulnerabilities related to CMSs, etc), to cover the gaps that are not covered by updated CMS, and to close the loopholes of the popular plugins.
In the real-world application use-case scenario of our product, it is presumed that most of the vulnerabilities should be addressed on an application design level.
To address concerns, there are numerous mechanisms to protect from such vulnerabilities in real CMS and plugins. Proactive Defense & PHP Immunity is responsible for preventing unsafe and suspicious actions. Attacking IPs will be blocked by the firewall, and existing viruses will be deleted by signatures.
The cPanel for example has a feature to prevent calling of unsafe executions and you might want to look further in this direction.
One of the ways to have a workaround for the self-signed CMSs or scripts that might be vulnerable to brute-force attacks for example is to create a custom rule.
As for the protection on the OS level, CloudLinux for example has HardenedPHP which includes patched versions of obsolete PHP packages and CageFS to minimize infection scope and other unique patches.
Even if we create a rule for a vulnerable web application, it likely won’t help much in the real environment.