Support » Plugin: Wordfence Security - Firewall & Malware Scan » Issues with WAF and WP in it’s own subfolder

  • Resolved SoN9ne

    (@son9ne)


    To help resolve a previous issue that I have open on here already, I wanted to make sure I configure the wordfence-waf.php file to prepend to my requests.

    The issue I am running into is that I am fighting against WordFence with this. I have WordPress installed in a subdirectory as this is a supported way to run WordPress: https://wordpress.org/support/article/giving-wordpress-its-own-directory/

    I have a more advanced setup where I have a folder structure similar to:

    – public
    – wp-content (all project files outside of WP)
    – wordpress (only vanilla WordPress files, no plugins/themes other than default)
    – index.php
    – etc. (other webroot files like .htaccess and wp-config.php)

    This allows me to use WP_CONTENT_DIR and WP_CONTENT_URL to specify a custom wp-content directory.

    The issue I am experiencing is when I tell WordFence to use “Extended Protection” it is putting the wordfence-waf.php file into the wordpress directory. Mind you, the actual location of the WordFence plugin is in my custom wp-content/plugins directory. Nothing should be used inside the WordPress directory as updating WordPress would delete these files. So every update would crash the site… that’s a biggie.

    Since I have my project in a repo and utilize a launch script to setup my ASG, I would prefer to keep wordfence-waf.php in the webroot. This is fine and I can make my own edits to the .user.ini, .htaccess file and the wordfence-waf.php to use define('WFWAF_STORAGE_ENGINE', 'mysqli');.

    My concern is this:

    If I do not click the button in the WordFence options to use the “Extended Protection”, by having these already added myself, would this still enforce properly? The options page just says Basic Protection and that is not the case as I am prepending the file. Does that matter with the actual enforcement or is that just a visual thing in the settings?

    If I do click that button, it configures it inside the wordpress directory and that is a problem. I can manually move the file and update the .user.ini but when I check with the Diagnostic tool (wordfence-waf.php path), it still shows it being in the wordpress directory. I do not know where to modify this to show the correct path.

    I am not sure if it showing this is an issue and that is why I am here.
    I just want to include my own path for the wordfence-waf.php and use my own .user.ini file.

    I have tested it and it seems to work when I do this myself and just ignore the options button but I am unsure of the inners of WordFence and if those value above would have any negative affect to the system. Also, it would be nice if the settings page reflected my actual settings if done manually as the .user.ini exists with the wordfence-waf.php and there is an entry in the .htaccess file.

    Ideally, is there a constant I can specify to define a path to place the wordfence-waf.php?

    Thanks for any insight you can provide.

    • This topic was modified 1 year, 5 months ago by SoN9ne.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter SoN9ne

    (@son9ne)

    Folder structure is unclear, cannot edit so here is a better version:
    public
    – wp-content (all project files outside of WP)
    – wordpress (only vanilla WordPress files, no plugins/themes other than default)
    – index.php
    – etc. (other webroot files like .htaccess and wp-config.php)

    • This reply was modified 1 year, 5 months ago by SoN9ne.
    Thread Starter SoN9ne

    (@son9ne)

    Issue appears to be a caching issue. Manually setting up wordfence-waf.php worked as expected.

    This is clearly explained by WordFence:

    Troubleshooting
    If installation completes without errors but the firewall still shows Basic WordPress Protection: Some servers have a delay, usually only up to 5 minutes before the changes will take effect, due to caching. Waiting for 5 minutes and checking again will solve the issue, if this is the case. If the “Click here to configure” button still appears after completing setup and waiting about 5 minutes, your host may not use the typical configuration files, such as .user.ini.

    • This reply was modified 1 year, 5 months ago by SoN9ne.
    • This reply was modified 1 year, 5 months ago by SoN9ne.

    Hi @son9ne I have the same problem. Can you explain how you managed to set and keep the Waf file outside the /wp/ folder?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Issues with WAF and WP in it’s own subfolder’ is closed to new replies.