Support » Plugin: Wordfence Security - Firewall & Malware Scan » Optimise Apache + CGI/FastCGI

  • Resolved Malae


    I installed Wordfence on a new domain a few months ago and set up the firewall with no problems. Yesterday I had a notice that the server would be down for maintenance and upgrading. My site was down for 64 minutes and afterwards appeared normal.

    Today I noticed that WF showed the notice: “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:”.

    Assuming that the firewall settings had been lost, I clicked to configure and on the Firewall page found:
    “We’ve preselected your server configuration based on our tests, but if you know your web server’s configuration, please select it now: Apache + mod_php (recommended based on our tests).” I clicked and waited, but no change.

    I checked the information about the Server API and found CGI/FastCGI, so chose Apache + CGI/FastCGI. I clicked and waited, but no change.

    The wordfence-waf.php file is in place and has the lines:

    // Before removing this file, please verify the PHP ini setting <code>auto_prepend_file</code> does not point to this.
    if (file_exists('/home/u422710550/public_html/wp-content/plugins/wordfence/waf/bootstrap.php')) {
    	define("WFWAF_LOG_PATH", '/home/u422710550/public_html/wp-content/wflogs/');
    	include_once '/home/u422710550/public_html/wp-content/plugins/wordfence/waf/bootstrap.php';

    The downloaded htaccess file shows the lines:

    # Wordfence WAF
    <IfModule mod_php5.c>
    	php_value auto_prepend_file '/home/u422710550/public_html/wordfence-waf.php'
    # END Wordfence WAF

    However, the file on the server only had the # Wordfence WAF and # END Wordfence WAF lines. I added back the above lines of code. Is this correct?

    The Firewall page shows: Protection Level: Basic WordPress Protection with a button: Optimize the Wordfence Firewall.
    Clicking this, brings me back to the previous set-up page.

    My host uses cPanel, but there is no PHP Variables Manager icon. PHP Version 5.6.30

    What further steps, if any, should I take?

Viewing 15 replies - 1 through 15 (of 18 total)
  • Hi,
    If “Apache + CGI/FastCGI” was chosen, then the plugin should ask you to download “.htaccess and .user.ini” files, as with this server configuration auto_prepend_file value should be added to “.user.ini” file, can you please confirm?

    Also, may I ask what’s your hosting provider? and please go to (Wordfence > Tools > Diagnostics) and scroll down the page till “Send Report by Email” and send the report to “alaa [at] wordfence [dot] com”, make sure to include your forum username, I will take a look at this report and let you know my findings.


    I note that the Wordfence System Info for PHP 5.6.30 shows the Server API as LiteSpeed V6.10. (Diagnostics report e-mailed as requested).

    Noting that, I tried using the LiteSpeed setting, but still not showing the Extended Protection after waiting and refreshing the page.

    I note that there is a user.ini file in the public_html directory, with contents:
    ` ; Wordfence WAF
    auto_prepend_file = ‘/home/u422710550/public_html/wordfence-waf.php’
    ; END Wordfence WAF`

    And .htaccess now has at the bottom:

    # Wordfence WAF
    <IfModule LiteSpeed>
    php_value auto_prepend_file '/home/u422710550/public_html/wordfence-waf.php'
    # END Wordfence WAF

    Have just contacted the hosting. They said should not be LiteSpeed, but coincidentally they are upgrading the servers, which should have been finished yesterday, but apparently is still being worked on. I will keep checking.

    Hi Victor,
    I got your email and the diagnostics report too, thank you so much. I’ll try to elaborate things you mentioned and let me know if you have any further question:
    – Regarding the difference in “Server API” between our system information report and your cPanel report, I can see there are other differences too, like in “System”, “Build Date” and “Configure Command”, so I think this is due to specific server configuration you have and your web hosting provider should have a better explanation for this one.

    – On our system information report, we just call a function called “phpinfo()” and you can see its output has an empty value for “auto_prepend_file”, unfortunately, it means that “wordfence-waf.php” isn’t loaded correctly on your website, so neither “.user.ini” nor “.htaccess” succeeded in prepending this file.

    – What I suggest is waiting until your hosting provider confirms that all updates on your server are done, then re-configure the firewall again with the pre-selected option by Wordfence after that please check “auto_prepend_file” value in the “System configuration report” in (Wordfence > Tools => Diagnostics => Click to view your system’s configuration in a new window).

    Let me know what was the pre-selected option while configuring the firewall and the value for “auto_prepend_file”.


    Hi Alaa,

    Message from hosting provider as follows:
    “After investigating, I’ve noticed WordFence should work properly, without any issues on “CGI/FastCGI” as stated in the Plugins documentation … Please try removing your WordFence plugin and installing it again to see if that helps solve the issue you are experiencing.”

    I twice asked hosting why the phpinfo() showed LiteSpeed, but did not receive an answer. Also tried PHP 7.0 as suggested by hosting but no change, so reverted to PHP 5.6.

    I deactivated Wordfence and then activated it. I then tried each of the Apache settings without success. Each time I checked the System Configuration for the auto_prepend_file directive, but it always showed ‘no value’.

    I found no entry in Configure Command to indicate there was a conflict.

    I did not uninstall/reinstall Wordfence, because I did not want to lose my list of blocked IPs, but will do so if you feel that might solve the problem.

    Further assistance would be appreciated.

    Try to export the settings first, then re-install the plugin and configure the firewall, if everything went smooth, you can import the settings again and you will get the Blocked IPs.


    I have used the Export Wordfence Setting several times, but didn’t think it would export the list of Blocked IPs -it didn’t!

    Tried all Apache settings and also LiteSpeed, but no success.

    I’ve just re-checked the export/import function and I managed to export all the plugin settings including “Blocked IPs” then import it again successfully, just to make sure we are talking about the same thing, I mean Blocked IPs in (Wordfence > Firewall => Blocked IPs).

    I suggest trying the “Alternate method” to configure the firewall, which includes editing “php.ini” file manually by inserting a line of code like this:
    auto_prepend_file = 'some_path_here/wordfence-waf.php'


    If you mean export/import using the key obtained from the Export Wordfence Settings button at the bottom of the Options page, it did not work for me this time and my recollection is that it did not work on previous occasions either, but no matter.

    Although as mentioned earlier, a .user.ini file was created in the public_html directory, it does not seem to have any effect. Also can create changes to the .htaccess to include

    # Wordfence WAF
    <Files ".user.ini">
    <IfModule mod_authz_core.c>
    	Require all denied
    <IfModule !mod_authz_core.c>
    	Order deny,allow
    	Deny from all
    # END Wordfence WAF

    again no effect.
    I notice, in the set-up information, it mentions that both the .htaccess and user.ini files should be downloaded, but the .user.ini never appears for download.

    You say to add the line of code to the php.ini file, but it is not accessible. I presume that this must be done by the hosting admin.

    After running the firewall setup, would you please check if there is a “.user.ini” file created in your website root directory or not and paste the content of this file here? it should contain auto_prepend_file command pointing to the correct path of “wordfence-waf.php” file.


    As already related above, there is a .user.ini file with the following content:
    auto_prepend_file = '/home/u422710550/public_html/wordfence-waf.php'
    The PHP Info always shows auto_prepend_file no value

    The .htaccess file changes vary depending on the configuration chosen. From all of the above, what should the .htaccess contain?

    Should I ask the hosting admin to append the above .user.ini contents to the php.ini file?

    • This reply was modified 3 years, 3 months ago by Malae.

    The content of “.htaccess” file will vary according to the configuration you choose, in case of “CGI/FastCGI” the code added there should protect “.user.ini” file from being accessed directly and I can tell you have the correct code there.

    What you should ask your hosting provider about is how “auto_prepend_file” value was added to “.user.ini” file and phpinfo() still shows “novalue” there? and yes, adding the same line in php.ini file should work.


    Hi both,

    I hope you don’t mind my contributing here, but this sounds a lot like what I’ve been experiencing. Like Malae, my Server API comes up as LiteSpeed v6.9, and my local hosting company seems to be hosting me in India, best I can tell.

    Alaa, I tried what you suggested in the above thread, but to no avail. I removed everything as explained here, including the database tables, and tried older versions of Wordfence to see if those would work, as before, but they did not.

    This led me to believe something was not working with auto_prepend_file.

    I’ve not contacted my host yet, but I discovered that turning on the PHP extension HTSCANNER in CPanel’s PHP Version makes the WAF work again.

    I’m not sure why this is or if it’s the best solution, but I found multiple mentions of this as a solution for auto_prepend_file issues in htaccess files.

    I’ll report back once I chat with my hosting provider.


    Hi philrp,

    Thanks for your contribution. My cPanel does not provide any means to activate PHP extensions, but I did some research and found that on PHP 5.4, 5.5 and 5.6 htscanner is disabled, but can be enabled, although I could not see any mention of it on my PHP (5.6.30) Info page. PHP 7 does not support htscanner.

    Aside from that I found some information about .user.ini files:

    I have asked my hosting to comment as to why the .user.ini file is not working and, if not able to fix that issue, whether they agree to append the content to the php.ini file. I will post info re further developments.

    I have just been informed by my hosting, quote: “.ini files have no effect on shared hosting, since you cannot modify global server configuration.” I won’t comment further here on that statement. However I have asked them, if they can enable the htscanner. I expect a negative answer since it does not appear to be installed.

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Optimise Apache + CGI/FastCGI’ is closed to new replies.