Web Application Firewall – Learning Mode Whilst Under Attack

Daft question on the WAF in Learning Mode.
On updating one of my clients sites, I left it running in Learning Mode but had set it to not automatically enable on completion.

However, during the “learning period”, I was getting a few hits from hackers looking for vulnerabilities. (i.e. Filter URL’s for objects that don’t exist on that server – hackers looking for themes, plugins or exploits in un-patched core code etc).

I checked another client’s site which had recently been subjected to a scan for vulnerabilities by a hacker which had created around 47 whitelisted rules for filter URL’s that don’t exist on my own server (all 47 came from the same IP address).

Checking other sites it appears the only entries in my whitelists are invalid requests for objects that don’t exist on my server.
In fact, of the 150+ entries in the various whitelists across 8 different domains/installs, there doesn’t appear to be a ‘valid’ entry at all. (One exception could be a single entry for “/wp-admin/admin-ajax.php” but that was using the query string “request.queryString[video]” and came in the middle of another ‘attack’ from an IP address that created another 20+ whitelisted entries for non-existent objects in the filter URL’s.

Daft question time…(1) Why would the WAF even whitelist a file/app/URL that doesn’t exist on the server?

https://wordpress.org/plugins/wordfence/