Support » Plugin: Wordfence Security - Firewall & Malware Scan » Security Issue – user.ini file

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfasa


    Hi David,
    The .user.ini file is created during the Firewall Optimization process. At the same time as the .user.ini is created code is added in .htaccess which prevents access to the .user.ini.

    I am not sure if the sites that pop up in Google have removed that code on purpose or by accident, or if there is some other issue. I’ll run this by the team though and see. Thanks for reporting!

    I have one site where that user.ini is accessable in a browser, so the .htaccess is not preventing anything there.

    Plugin Support wfasa


    Hi tryggis,
    If the .user.ini is not hidden after using our automatic configuration procedure, make sure that this code exist in your .htaccess

    <Files ".user.ini">
    <IfModule mod_authz_core.c>
    	Require all denied
    <IfModule !mod_authz_core.c>
    	Order deny,allow
    	Deny from all

    If you are on NGINX, you will need to modify your config file. We have instructions for how to do that here:

    If you are unsure about any of the above, please reach out to your web host and ask them to assist you in hiding the .user.ini file.



    I installed wordfence and all was fine for a week or so, now wordfence is warning me that the user.ini, that wordfence created, is publicly accessable.

    Plugin Support wfasa


    Hi mhk1058,
    Yes, we have added a scan check that tells you if your .user.ini is visible so that people quickly find out if that is the case, for whatever reason. It can happen if the Wordfence Firewall Optimization is reverted while the .user.ini is write protected. It can also happen if you move your site between hosts, or if your host changes something significant in your server environment. It could also happen if the .htaccess in the root of the WordPress installation is reverted to a default WordPress .htaccess, or if another plugin overwrites the changes Wordfence made to your .htaccess.

    Check if the .user.ini has anything in it. If it doesn’t, you can delete it. If it does, you need to add the code above to your .htaccess. If that doesn’t help, please reach out to your web host for assistance. How files are hidden differs between hosting environments.

    Hope that helps!

    • This reply was modified 1 month, 4 weeks ago by  wfasa.
Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.