Hi @relozo, thanks for your question.
A full phpinfo() shouldn’t ever have a reason to be included in a regular public-facing page. Wordfence will only trigger it for a logged in admin who chooses to view or send diagnostics for troubleshooting purposes from the plugin (Wordfence > Tools > Diagnostics). There’s no way for regular visitors to your site to execute this code, but naturally protecting your admin accounts with complex passwords and 2 factor authentication where possible is always good practice.
You can actually use the disable_functions in your server’s php.ini file to specify phpinfo if you’re concerned. In that case, the server returns Warning: phpinfo() has been disabled for security reasons. As that’s just a warning and not a fatal error, it shouldn’t prevent Wordfence or anything else that uses it from functioning correctly. Your host can help you with that if you’re unsure how to do it.
I hope that helps you out,
Peter.
