I’m also curious of how the setup works if there’s no php.ini file
Anyone got suggestions on how to make this work, I tried adding a prepend directive to my .htaccess file but that does not seem to work, should it? How do people without access to php.ini make this work?
Hello VKWebmaster,
The installation works without tweaks on most servers and you do not normally need access to php.ini. It depends on your server setup but one way it can work is that a user.ini file is created in the root of your site. When configuring the firewall, which option did you choose in the drop-down menu? (If it was preselected, which one was preselected?)
The site I’m working on doesn’t have a php.ini file. The automatic way of doing the install doesn’t create a user.ini file. Also the plugin gives you a manual method of setting it up, but at the bottom it says “Additionally, you will need to append the following code to your php.ini” whcih obviously doesn’t work if you don’t have one.
By the way the server configuration preselected for me was Apache + mod_php I created a phpinfo file and I see mod_php5 in the Loaded Modules section, but I also see mod_cgi in there too. But I’m not very educated on servers, but I ‘m guessing the preselection is right.
So do I need to talk to my host about permissions so the user.ini file gets created? or ask if there’s a way to add the php.ini file?
Thanks
The selected option for me was
Apache + suPHP (recommended based on our tests)
After backing up .htacess and user.ini
I end up with a user.ini file with the line
; Wordfence WAF
auto_prepend_file = ‘/usr/local/xxxx/xxxx/xxxx/xxxx/xxxx/WordPress-88806/htdocs/wordfence-waf.php’
; END Wordfence WAF
This is the path to my wordpress install
My .htaccess file has been modified with this additional line
Wordfence WAF
<IfModule mod_suphp.c>
suPHP_ConfigPath ‘/usr/local/xxxx/xxxx/xxxx/xxxx/xxxx/WordPress-88806/htdocs’
</IfModule>
<Files “.user.ini”>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
Where in both instances
/usr/local/xxxx/xxxx/xxxx/xxxx/xxxx/WordPress-88806/htdocs/wordfence-waf.php
is the absolute path to the file
wordfence-waf.php
I can go back to my shared hosting service and clarify aspects of this but I need to know what to ask.
winterstreet,
do you see a “WAF” definition (auto_prepend_file) in your .htaccess?
VKWebmaster,
in your case it’s possible that the host doesn’t allow user.ini. Can you possibly check the error logs on your server? The answer should be there.
Still cannot get this working, I have tried all of the options in the dropdown now without success, Is there some way od debugging this?
According to the hosting firm my site is using CGI/FastCGI, wordfence plugin was identifying my server as Apache + suPHP (recommended based on our tests),
I have changed the dropdown to CGI/FastCGI and reran the firewall configuration but I still get the
To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall
message, can anyone tell me what .htaccess and user.ini should contain for a server API of CGI/FastCGI?
Hello again both of you,
there are unfortunately some sites who do not support the method we use to load the firewall. The reason we use this method is to make sure the firewall loads before everything else on the site.
Could you both checkout this section on host that do not support user.ini and see if it make sense to you?
The host is a small local company. I asked them if they wanted to try setting it up. They said they’d have to bill some time, I left that to my client on if they want to keep working on this. I think they will just skip the firewall. So for me this issue is “resolved” thanks.
Still trying to get this working!
I amended my wordfence-waf.php file to include a line to print a div
as follows:
<?php
// Before removing this file, please verify the PHP ini setting <code>auto_prepend_file</code> does not point to this.
if (file_exists('/usr/local/xxx/vhosts/xxxx/webspace/siteapps/WordPress/htdocs/wp-content/plugins/wordfence/waf/bootstrap.php')) {
define("WFWAF_LOG_PATH", '/usr/local/xxx/vhosts/xxxx/webspace/siteapps/WordPress/htdocs/wp-content/wflogs/');
include_once '/usr/local/xxx/vhosts/xxxx/webspace/siteapps/WordPress/htdocs/wp-content/plugins/wordfence/waf/bootstrap.php';
echo "<div style='display:none;'> MyCheck </div>";
}
?>
I see the tag
<div style=’display:none;’> MyCheck </div>
On every page after that edit. This confirms (I think) that .user.ini is working, wordfence-waf.php is being called and that bootstrap.php is being included but I still get the message saying the firewall needs to be configured.
I see there is a reference to wflogs but I cannot view these, could they give us a clue to what is happening?
Hello VKWebmaster,
thats interesting, thanks for the update. Have you been able to check your servers error logs? They should be available via your web hosts administration tool.
Yes I checked the logs and see no errors during or after the firewall configuration process.
VKWebmaster,
if you click on the link that says “Click to view your system’s configuration in a new window” at the bottom of Wordfence “Diagnostics” page, what does it say under “Server API”?
