Cannot activate (“optimize”) Wordfence Firewall with php-fpm/FastCGI enabled

  • Resolved caseybea

    (@caseybea)


    4 years, 4 months ago

    At our site, we are in the middle of migrating to enabling php-fpm (aka FastCGI) on a series of hosts.

    I have three wordpress sites that are causing me to pull my hair out when it comes to “optimizing” the WordFence firewall.

    First– When using the standard apache php handler, it works fine. I have absolutely no issues and the appropriate .htaccess and WAF file gets created and it’s all good and it tells me it’s set.

    But when I change to using FastCGI, I simply can NOT get it to work. I go through the steps– which has me first download the .htaccess and .user.ini files, and then I click “Continue”. And the wordfence session for doing this DOES recognize I’m using fastcgi. But once I’ve continued, rather than wordpress acknowlighting it’s ready, I get the message “the changes have not been activated yet”, and then– nothing happens. Even restarting php and apache afterwards makes no difference. No amount of waiting makes a difference.

    When I folow the steps, the .user.ini and wordfence-waf files ARE created. And they look correct and show up where they should (the wordpress root dir of my site).

    • This topic was modified 4 years, 4 months ago by caseybea.
Viewing 6 replies - 16 through 21 (of 21 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @caseybea, I’m glad that works for you.

    I was going to advise that .user.ini could be placed directly in WordPress folders but was probably going to be difficult to manage long-term with version updates and possibly needing to be in multiple folders, not just one.

    The soft link idea sounds good if that has had the desired effect. We are seeing more requests around php-fpm/FastCGI so will look further into that method when advising for a setup with advanced/extra requirements such as this.

    Thanks again,

    Peter.

    Thread Starter caseybea

    (@caseybea)

    Well the soft link works better than actual files because then if the firewall needs to be disabled it works.

    Is putting it just in wp-admin enough to ensure the firewall is always working?

    Of course the long-term solution is using the CONTEXT root not document root. But you said we can’t do that until PHP8. Oy.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @caseybea,

    If there was a copy of .user.ini in wp-admin/, that one would be loaded during the AJAX hits. However, it’s not a full solution as every directory on the site would need its own .user.ini.

    Thanks,

    Peter.

    Thread Starter caseybea

    (@caseybea)

    Then it appears my setup– (apache home not the same as wordpress home, which is a perfectly valid setup), and php-fpm is unusable. Wow.

    With plugins and themes and such, there’s almost a thousand dirfectories.

    Thread Starter caseybea

    (@caseybea)

    I may have to go ahead and force this in php.ini but that makes me super unhappy.

    Because with that, the firewall now cannot be “managed” (enabled, disabled) without stopping php and disabling it in php.ini and restarting everything.

    And I also do not know what the effect of having that auto_prepend in php.ini will have on OTHER php code (non-wordpress) that our site serves up.

    I wonder, with all the complexities that php-fpm introduces, if wordfence can’t manage this some other way in the future. This was all a non-problem and all worked perfectly when using the older apache php handler. But php-fpm is a bit more tricky…..!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @caseybea,

    One last thing that might help for your concern about the effect of auto_prepend_file on other non-WordPress code can be set in php.ini. Check under “Using a single php.ini on servers with multiple sites” on this help page:

    https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/#using-a-single-php-ini-on-servers-with-multiple-sites

    You could use something like the example on there, to apply the auto_prepend_file only when in the directory where WP is installed:

    
[PATH=/path/to/site/]
auto_prepend_file = '/path/to/site/wordfence-waf.php'

    This has to be at the end of the php.ini, so the path doesn’t apply to the other settings throughout the file. This should work in CGI and FCGI, and has applied to subdirectories in our test environment, but as your setup has been fairly unique, we can’t say with absolute certainty it’ll work in your environment.

    Thanks,

    Peter.

Viewing 6 replies - 16 through 21 (of 21 total)
  • The topic ‘Cannot activate (“optimize”) Wordfence Firewall with php-fpm/FastCGI enabled’ is closed to new replies.