I had the same issue, the .user.ini located in /var/www/html/wordpress-folder/ was accessible from the public. My web server is the nginx so I added the code suggested by the Wordfence support team, which is:
location ~ \.user\.ini$ {
deny all;
}
in the /etc/nginx/sites-enabled/default file but on the beginning wasn’t work because I was adding the code in a wrong location within that file, initially I was adding that code as a new location block just below the .htaccess location code but it wasn’t working because the right location is to locate that code within the main location block that comes with the nginx server
location / {
# First attempt to serve as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
#locate here the code to block the .user.ini file
location ~ \.user\.ini$ {
deny all;
}
}
then restart the nginx server and that’s it, now the .user.ini file is not accessible from the public
