Sarah

Hello,

I’ve been back-and-forthing with my hosting provider.

They have confirmed that my .htaccess is recursive, so it doesn’t make sense that the Wordfence auto_prepend_file code is not working even though I have it in “/home/username/public_html/.htaccess”.

<IfModule LiteSpeed>
php_value auto_prepend_file '/home/username/public_html/wordfence-waf.php'
</IfModule>

The auto_prepend_file doesn’t seem to work unless I put it into “/home/username/public_html/wp-admin/.htaccess”. I asked my Hosting provider whether there was a reason for this, as I thought it would work if I just had it in “/home/username/public_html/.htaccess”.

This was their response:

While investigating the issue, I found that the plugin was originally intended to work with auto_prepend_file added in the .user.ini file and the .htaccess was only a secondary alternative to it. You may refer to the developers thread at:

https://wordpress.org/support/topic/waf-configuration-installation-issue/#post-14173061

Since there is no server-level restriction on this, I would recommend you reach out to the vendor for more insight on this.

I followed the instructions at that post link also, without any success.

So to clarify, I have now tried the following:

– Added define('WFWAF_STORAGE_ENGINE', 'mysqli'); inside wordfence-waf.php
– Removed the “wp-content/wflogs” folder
– Switched the Firewall from ‘Learning mode’ to ‘Enabled and Protecting’

The following code is in the .htaccess file in my root directory:

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF

In the same directory, I have a .user.ini file with the following code:

; Wordfence WAF
auto_prepend_file = ‘/home/username/public_html/wordfence-waf.php’
; END Wordfence WAF

I have even tried the other user’s suggestion of renaming the .user.ini file and then renaming it back again, without any success.

Any insight would be very much appreciated.

I followed your advice and although the troubleshooter script said that it was running in Full WAF mode, the firewall did not display that.

“auto_prepend_file” value was empty when I checked “info.php” in /wp-admin/ folder.

It appeared that it was not affecting subdirectories.

I have now added the “auto_prepend_file” directive to .htaccess within the /wp-admin/ folder. Check of “info.php” shows positive value. I refreshed the firewall, which now displays that it is running in Full WAF mode.

So to sum up, I now have the following code in .htaccess of my root folder as well as /wp-admin/.htaccess

# BEGIN NinjaFirewall
<IfModule Litespeed>
   php_value auto_prepend_file "/home/blah/public_html/wp-content/nfwlog/ninjafirewall.php"
</IfModule>
# END NinjaFirewall

My question now is: Is this really a fix? Or have I just made a temporary fix that I still need a proper resolution for? Is the Full WAF mode actually working like it says it is? Do I have to copy the code into a .htaccess file within each of the subdirectories such as /wp-content/ and /wp-includes/ ?

• This reply was modified 4 years, 2 months ago by Sarah.
• This reply was modified 4 years, 2 months ago by Sarah.

Hello @bobmatyas –

It’s actually resolved on its own now and I’m not entirely sure what happened. My hosting provider confirmed that there was nothing wrong with my SSL.