Support » Plugin: Wordfence Security - Firewall & Malware Scan » Nothing Wordfence in .htaccess file

  • Resolved tettt



    I have your fantastic plugin installed on my site. It was installed after I installed All in one Security, which means I have both running. Things are going fine and your plugin does protect the site. Just one question: When I check the .htaccess file, I find nothing from Wordfence there.

    Is it still running? Do I need to add anything in the .htaccess file or wp-config or whatever file so as to let your plugin do the best.

    PS: I have some snipsets in the .htaccess file to protect it (don’t remember whether I put the snipsets before I install Wordfence or after).


Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi @tettt,

    Can you go into Wordfence -> Tools -> Diagnostics -> Wordfence Firewall (Current WAF configuration), and tell me the following fields?

    – WAF auto prepend active
    – WAF subdirectory installation
    – wordfence-waf.php path

    If the auto prepend active is No, that means the firewall is not optimized, and you will want to reinstall Wordfence.

    If it’s Yes, then you should be set. Wordfence is working properly, and it’s possible your site is using a .user.ini, or a php.ini setting to route traffic to Wordfence.


    Thread Starter tettt


    Thank you for your response.

    I checked it as you said, and it says NO. But that may be because I did not set the extended protection mode. After I set the extended protection mode, it says WAF auto prepend active: YES.

    I check the .htaccess file, and now, it has the following added to the very end of the file (even after the WordPress core section):

    # Wordfence WAF
    <IfModule LiteSpeed>
    php_value auto_prepend_file ‘/home3/tiengan3/public_html/wordfence-waf.php’
    <IfModule lsapi_module>
    php_value auto_prepend_file ‘/home3/tiengan3/public_html/wordfence-waf.php’
    <Files “.user.ini”>
    <IfModule mod_authz_core.c>
    Require all denied
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all

    # END Wordfence WAF

    I also check the file: .user.ini, it has the following (nothing else):

    ; Wordfence WAF
    auto_prepend_file = ‘/*************/public_html/wordfence-waf.php’
    ; END Wordfence WAF

    I also check the file: php.ini.bk (I cannot find php.ini), and it is a blank file.

    My question is: Is it OK now, and is there anything I need to correct?

    Another question:

    Under Tools >>> Diagnostics >>> IP Detection, I found:

    REMOTE_ADDR: in use

    This is not my IP address. Is that a security problem? What should I do?

    Many thanks

    Hi again,

    Yes! It looks like the extended protection wasn’t enabled before, but now that you’ve enabled it, there’s nothing else you need to do.

    As for your other question, if your IP address is not correct, you should try this:

    1. Go to Wordfence -> All Options
    2. Click on each and every option found in How does Wordfence get IPs
    3. Find which one makes Your IP with this setting match your true IP address

    Your true IP address can be found here:

    For example:


Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Nothing Wordfence in .htaccess file’ is closed to new replies.