Unable to optimise the firewall

Resolved Sarah
(@reenipants)

4 years, 3 months ago

Hello,

I’m having difficulty optimising the firewall. I have followed the troubleshooting guides but no matter what I do, the “WAF auto prepend active” shows as “no”.

I’m not sure if I’m missing something?

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Support wfpeter
(@wfpeter)

4 years, 3 months ago

Hi @reenipants, thanks for getting in touch.

Have you followed both the troubleshooting and initial setup documentation? Just for clarity I’ll leave both of those links below:
https://www.wordfence.com/help/firewall/optimizing-the-firewall/#firewall-optimization-setup
https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/

Trouble can also originate from either a permissions or situation where another security plugin is installed and using this directive already.

The INCLUDE option in our WAF optimization wizard should overridde other products using the auto_prepend_file value so that our wordfence-waf.php file would then include the previous value also to prevent something from breaking. It may help to try this process without other plugins running in case the file being in use is stopping our value being written/modified.

Ensure permissions on your WordPress site’s directories are 755 and that the owner on your WordPress root directory (and all contained directories) is www-data.

Let me know how that goes for you.

Peter.
Thread Starter Sarah
(@reenipants)

4 years, 3 months ago
Hello Peter,

Yes, I’ve followed both the troubleshooting and initial setup documentation.

Directive in the .user.ini file is:
; BEGIN Wordfence WAF
auto_prepend_file = ‘/home/username/public_html/wordfence-waf.php’
; END Wordfence WAF

I have the following directive in .htaccess:
# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file ‘/home/username/public_html/wordfence-waf.php’
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file ‘/home/username/public_html/wordfence-waf.php’
</IfModule>
<Files “.user.ini”>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF

I have also tried renaming .user.ini to php.ini without any success.
I have deactivated all plugins and tried with just WordFence running. It didn’t work.

My site is on A2 Hosting.
Server API: LiteSpeed V8.0 Cloudlinux 1.3 .
$_SERVER[‘SERVER_SOFTWARE’] LiteSpeed

Permissions on my WordPress site’s directories are 755.
How do I check that the owner on my WordPress root directory is www-data?
- This reply was modified 4 years, 3 months ago by Sarah.
Thread Starter Sarah
(@reenipants)

4 years, 2 months ago
Just an update…

I inserted this code into .htaccess of my root folder:
```
# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/username/public_html/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/username/public_html/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF
```
That didn’t work on its own, so I created .htaccess within /wp-admin/ where I also inserted the code. I refreshed the firewall and it now states “extended protection”.

I’m now wondering whether this is just a temporary fix or an actual solution? Should I copy that code across to .htaccess in /wp-content/ and /wp-includes/ or just leave it as it is? Is it actually providing the proper level of protection?
Thread Starter Sarah
(@reenipants)

4 years, 2 months ago
Hello,

I’ve been back-and-forthing with my hosting provider.

They have confirmed that my .htaccess is recursive, so it doesn’t make sense that the Wordfence auto_prepend_file code is not working even though I have it in “/home/username/public_html/.htaccess”.
```
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/username/public_html/wordfence-waf.php'
</IfModule>
```
The auto_prepend_file doesn’t seem to work unless I put it into “/home/username/public_html/wp-admin/.htaccess”. I asked my Hosting provider whether there was a reason for this, as I thought it would work if I just had it in “/home/username/public_html/.htaccess”.

This was their response:

While investigating the issue, I found that the plugin was originally intended to work with auto_prepend_file added in the .user.ini file and the .htaccess was only a secondary alternative to it. You may refer to the developers thread at:

https://wordpress.org/support/topic/waf-configuration-installation-issue/#post-14173061

Since there is no server-level restriction on this, I would recommend you reach out to the vendor for more insight on this.

I followed the instructions at that post link also, without any success.

So to clarify, I have now tried the following:

– Added define('WFWAF_STORAGE_ENGINE', 'mysqli'); inside wordfence-waf.php
– Removed the “wp-content/wflogs” folder
– Switched the Firewall from ‘Learning mode’ to ‘Enabled and Protecting’

The following code is in the .htaccess file in my root directory:
```
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF
```
In the same directory, I have a .user.ini file with the following code:

; Wordfence WAF
auto_prepend_file = ‘/home/username/public_html/wordfence-waf.php’
; END Wordfence WAF

I have even tried the other user’s suggestion of renaming the .user.ini file and then renaming it back again, without any success.

Any insight would be very much appreciated.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Unable to optimise the firewall’ is closed to new replies.