.user.ini (is a Wordfence file?) | WordPress.org

Resolved toby1kenobi
(@toby1kenobi)

1 year, 3 months ago
Wordfence flagged up a couple of issues, one of which was, “Publicly accessible config, backup, or log file found: .user.ini”. If I look at that file it looks like something created by Wordfence, its contents are:
```
<?php
// Before removing this file, please verify the PHP ini setting auto_prepend_file does not point to this.

if (file_exists(DIR.'/wp-content/plugins/wordfence/waf/bootstrap.php')) {
define("WFWAF_LOG_PATH", DIR.'/wp-content/wflogs/');
include_once DIR.'/wp-content/plugins/wordfence/waf/bootstrap.php';
```
Should I delete this, move it, leave it where it is??

Viewing 1 replies (of 1 total)

Plugin Support wfpeter
(@wfpeter)

1 year, 3 months ago

Hi @toby1kenobi,

No, Wordfence puts contents in the .user.ini file if your server’s configuration uses it for our firewall’s Extended Protection rather than .htaccess. You’re just being warned that it’s publicly visible if somebody were to try it in a browser.

Are you able to use the “HIDE FILE” option offered to you in the scan results? This will usually add some code to make sure it isn’t visible or downloadable in future.

There are also some instructions here if you’re unable to hide it automatically: https://www.wordfence.com/help/scan/scan-results/#public-logs

Thanks,
Peter.

Viewing 1 replies (of 1 total)

The topic ‘.user.ini (is a Wordfence file?)’ is closed to new replies.

1 reply
2 participants
Last reply from: wfpeter
Last activity: 1 year, 3 months ago
Status: resolved