Enable New Firewall Errors

Hi,

Thanks for the report. Can you post the errors you were seeing that were related to .htaccess?

Also, can you tell me which hosting company you are using? We’ve tested on many different hosts, but sometimes there is even variation between servers at a single hosting company, but this could help narrow down the cause too.

-Matt R

Hi Matt. No hosting company involved. Just a server I administrate. It look’s like whatever the firewall add’s to the .htaccess is what causes the error. I still haven’t found a work around yet, but I’ve just started looking into it.

For the record, I have a wordpress instance on rented hosting space and didn’t have any problem enabling it there.

Matt,

Do you have a list of the required apache modules that are required by wordfence? I am almost positive it’s because of a missing module.

I found this link, and I think it should be updated as well. Hopefully someone can chime in regarding the required apache modules that are used for wordfence.

https://docs.wordfence.com/en/Wordfence_system_requirements

I wanted to mention that the wordfence diagnostic page shows nothing wrong.

I do see some errors within the apache error log. Bascially saying “client denied by server configuration”

Maybe this is a clue-

I have had 403 errors on several of my websites that can only be fixed by deleting the “deny access” sections of the .htaccess file. Once I delete the “WFIPBLOCKS” section of .htaccess my pages can be viewed again.

Thanks for the heads up michaelisc. I don’t believe that is my issue though. I am really hoping someone chimes in with the required apache modules for wordfence.

Hi,

On some server configurations, you might have multiple error logs — if the main log showed only “client denied by server configuration”, then there are likely different error messages in another file — can you check in the site’s own directories? It might also be in a different location if the ErrorLog directive is used in your Apache config.

I don’t have a comprehensive list of required modules since issues rarely come up, but depending on your Apache version, you may need mod_authz_core or mod_access_compat, or possibly mod_authz_host if you’re on Apache 2.2, for some of the .htaccess changes in the firewall config.

-Matt R

Ok.. I have narrowed it down to these lines in .htaccess

<IfModule mod_authz_core.c>
Require all denied
</IfModule>

With those included, I get a 403 forbidden. Take that out, and site works. Hmmm?

Hi,
Is that section inside a <Files> directive, like below?

<Files ".user.ini">
<IfModule mod_authz_core.c>
        Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
</IfModule>
</Files>

It should only block access to the .user.ini file (if one exists) in that case, unless there is something preventing the Files directive from working.

-Matt R