Support » Plugin: Wordfence Security - Firewall & Malware Scan » Optimise Apache + CGI/FastCGI

  • Resolved Malae


    I installed Wordfence on a new domain a few months ago and set up the firewall with no problems. Yesterday I had a notice that the server would be down for maintenance and upgrading. My site was down for 64 minutes and afterwards appeared normal.

    Today I noticed that WF showed the notice: “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:”.

    Assuming that the firewall settings had been lost, I clicked to configure and on the Firewall page found:
    “We’ve preselected your server configuration based on our tests, but if you know your web server’s configuration, please select it now: Apache + mod_php (recommended based on our tests).” I clicked and waited, but no change.

    I checked the information about the Server API and found CGI/FastCGI, so chose Apache + CGI/FastCGI. I clicked and waited, but no change.

    The wordfence-waf.php file is in place and has the lines:

    // Before removing this file, please verify the PHP ini setting <code>auto_prepend_file</code> does not point to this.
    if (file_exists('/home/u422710550/public_html/wp-content/plugins/wordfence/waf/bootstrap.php')) {
    	define("WFWAF_LOG_PATH", '/home/u422710550/public_html/wp-content/wflogs/');
    	include_once '/home/u422710550/public_html/wp-content/plugins/wordfence/waf/bootstrap.php';

    The downloaded htaccess file shows the lines:

    # Wordfence WAF
    <IfModule mod_php5.c>
    	php_value auto_prepend_file '/home/u422710550/public_html/wordfence-waf.php'
    # END Wordfence WAF

    However, the file on the server only had the # Wordfence WAF and # END Wordfence WAF lines. I added back the above lines of code. Is this correct?

    The Firewall page shows: Protection Level: Basic WordPress Protection with a button: Optimize the Wordfence Firewall.
    Clicking this, brings me back to the previous set-up page.

    My host uses cPanel, but there is no PHP Variables Manager icon. PHP Version 5.6.30

    What further steps, if any, should I take?

Viewing 3 replies - 16 through 18 (of 18 total)
  • @malae It seems that @philrp has a different server configuration, not “Apache + CGI/FastCGI” as yours, because in his other thread I can see the “php_value auto_prepend_file” was added to “.htaccess” file, which can’t be applied while using CGI/FastCGI protocols.

    If your hosting provider doesn’t load “.user.ini” files on shared hosting, hopefully they guaranteed any other way to manually add values in “php.ini” file? also, some web hosts supports “PHP Variables Manager” plugin in cPanel from which you can set some variables manually, hopefully you have it?

    I’m afraid to tell that there is no other way to setup the firewall unless “wordfence-waf.php” file is loaded correctly.


    At last I can report that my problem is over. After almost three weeks of e-mails with the hosting company, they told me that I could set the auto_prepend value by updating .htaccess with ⁠⁠⁠⁠php_value⁠⁠⁠⁠. I had already tried that method, but retried many combinations and lines of code including php_value include_path, but had no luck.

    I reported this to my hosting and and told them that it appeared to be a permissions issue such as AllowOveride.
    The next day one of the lines of code that I had already tried without success:
    php_value auto_prepend_file "/home/xxxxxxxxxx/public_html/wordfence-waf.php" was inserted and immediately the firewall showed ‘Extended Protection’

    Sadly, my hosting support could not confirm what happened. I would like to know in case it happens again, but at least I now have a secure site!

    Many thanks to the excellent support from Wordfence along the way.

    Hi Malae,

    Thanks for reporting back. I’ve got an open ticket with my host since Monday. I can see they’ve accessed my site a few times since, but the server administrators have not yet been able to explain why Wordfence has stoped working properly, but they are taking it seriously.

    Adding the “php_value auto_prepend_file ” line directly to htaccess was one of the first optionsI found, but, at the time, it looked to me like the firewall was not working properly and things were being missed. Looking back, that was likely the fact the that the Wordfence IP getting option had also changed when whatever they did to my server disabled the Extended Firewall.

    I now have 2 workable manual options to make the firewall work, but I’m still hoping they can fix this on the server side, which would let Wordfence auto install correctly.

    Best of luck to you!

Viewing 3 replies - 16 through 18 (of 18 total)
  • The topic ‘Optimise Apache + CGI/FastCGI’ is closed to new replies.