Support » Plugin: Wordfence Security - Firewall, Malware Scan, and Login Security » Causing issues blocking HTML in other directories?

  • Resolved patjk


    I’ve been using Wordfence on all my sites and love it, thanks.

    I’m having an issue on one site in particular. I have wordpress and wordfence installed on, which is our homepage blog.

    On, we have a community forum setup running on Xenforo. I had issues updating some HTML BBCode in that when I tried to update, and click save, a blank page would load with just a datestamp and nothing would save. Spent months seeking help from Xenforo and no one knew.

    Today I disabled wordfence on the wordpress, and was able to save.

    How can I keep wordfrence enabled but not let it affect the /forum directory or other directories on the server?

Viewing 8 replies - 1 through 8 (of 8 total)
  • I would suggest you use either the .user.ini or the .htaccess file in the forum directory to tell PHP to STOP auto-prepending the WordFence WAF firewall file into there. It is catching and blocking some of the POSTs.
    Since your forum is in a subdirectory of the main install, the WAF “auto_prepend” will extend into there.

    Put this option in the forum directory’s .htaccess file

    php_value auto_prepend_file none

    Or better, create a .user.ini file in that directory stating


    The “none” tells PHP that you do not want an “auto_prepend_file” to be used there.

    Thread Starter patjk


    @crudhunter : Thanks, I tried this method yesterday:
    “create a .user.ini file in that directory stating

    And the issue still persists. This should be in the /forum directory, right?

    Should I try the .htaccess method instead? I’m wondering why the .user.ini method isn’t working.


    Not all hosting environments support .user.ini files. They are only supported and processed if you run the CGI/FastCGI SAPI. In other types, like suPHP, use .htaccess.

    The auto_prepend config can generally be placed in either of php.ini, .user.ini, or with the different syntax, in .htaccess files. Just like other PHP config values.
    IF the PHP environment you are using support that file. As mentioned, .user.ini is only supported by CGI/FastCGI/PHP-FPM. Not under others.

    One thing to check is where the original “auto_prepend = Wordfence WAF” config is in your site’s root directory. Did WordFence put it in php.ini, .user.ini, or ,htaccess? You should likely use the same to turn it off for the subdirectory..

    Yes, to do the disconnect, it would have to go in the forums directory.

    Hi patjk,
    as has already been stated, the solution to this would be to replicate the Wordfence Firewall Optimization in the subdirectory where your forum resides but change it so it sets the auto_prepend_file value to none. So just check what the setup looks like in the root of your WordPress installation, copy the setup to your forum subfolder and change the code which might look something like this

    php_value auto_prepend_file '/home/public_html/wordfence-waf.php

    to this

    php_value auto_prepend_file none

    The setup will either involve code in .htaccess, code in .user.ini or a .user.ini and code in .htaccess which loads the .user.ini.

    Be careful not to copy your WordPress .htaccess rules with it as that may give some undesired effects. 🙂

    Hope that helps!

    Thread Starter patjk


    @crudhunter @wfasa Thanks. So in the root direction of, in .htaccess I see:

    # Wordfence WAF
    <IfModule mod_php5.c>
    	php_value auto_prepend_file '/home/patjk/public_html/speedsolving/wordfence-waf.php'
    <Files ".user.ini">
    <IfModule mod_authz_core.c>
    	Require all denied
    <IfModule !mod_authz_core.c>
    	Order deny,allow
    	Deny from all
    # END Wordfence WAF


    I added that same code above to the .htaccess of except I change:
    php_value auto_prepend_file ‘/home/public_html/wordfence-waf.php‘

    to this:
    php_value auto_prepend_file none

    Is that correct? Or do I need to look into user.ini and php.ini as well? It seems to have solved the issue but want to confirm all is okay. Thanks

    The auto_prepend would normally be only on one place. So if you found it in .htaccess, that would be it.

    You really only need to add the

    php_value auto_prepend_file none

    in the /forum directory’s .htaccess.
    You are simply turning off running of the WAF the forum software can run.

    Thread Starter patjk


    Thanks, much appreciated!

    Hi again patjk!
    Hoping you got that all sorted now. Setting this thread to resolved for now but don’t hesitate to get back in touch if you have more questions in the future.

    Hope you have a great weekend!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Causing issues blocking HTML in other directories?’ is closed to new replies.