How to setup a staging site with Wordfence

  • Resolved Superpigdots

    (@natip100)


    4 years, 11 months ago

    Today I cloned my site and Wordfence went berserk. It gave me three warnings. One stated, “If you have separate WordPress installations with Wordfence installed within a subdirectory of this site, it is recommended that you perform the Firewall installation procedure on those sites before this one.” The other stated, “To make your site as secure as possible, the Wordfence Web Application Firewall is designed to run via a PHP setting called auto_prepend_file, which ensures it runs before any potentially vulnerable code runs. This PHP setting is currently in use, and is including this file: [directory for my site for wordfence-waf.php]” The third was a scan that flagged,”server state” and it stated, “Details: The option “Scan files outside your WordPress installation” is off by default, which means 2 paths and their file(s) will not be scanned for malware or unauthorized changes. To continue skipping these paths, you may ignore this issue. Or to start scanning them, enable the option and subsequent scans will include them. Some paths may not be necessary to scan, so this is optional.”

    I tried for a long while to find resources that you or WP Staging plugin offers for how to properly configure Wordfence on a staging site. I read many questions that other users have that are similar to mine and no decent answers. Do you guys really offer no instructions on this? This seems like an ongoing confusion for many of your users. Could I please get help on how to properly do this? My site is not live yet and has a coming soon page up for logged-out access. I am free to uninstall Wordfence on either the main site or the clone site. I’d like to properly set this up now so that I do not have to do so in the future once my site is fully live and I would no longer have a good option to leave my site vulnerable for this setup.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfscott

    (@wfscott)

    @natip100

    Sorry for the delay and the trouble you’re having. Can you let me know which hosting provider you are with?

    We have a small section of documentation regarding migration here which applies to this as well: https://www.wordfence.com/help/advanced/remove-or-reset/#migrate-with-wordfence

    What is recommended is that firewall optimization is removed prior to migrating or cloning, which would prevent issues such as this or the wrong path being referenced.

    I recommend going into the cloned site and removing the extended protection (Wordfence > Firewall > All Firewall Options > Remove Extended Protection), and then re-optimization the firewall in that same location. If the cloned site is running in a sub-directory of the main site, you could remove the optimization on both, and then optimize the sub-directory site first, followed by the parent site after.

    Can you let me know if you’re seeing all three messages on the cloned site, or if you’re seeing them on both?

    Thread Starter Superpigdots

    (@natip100)

    No problem. I am using Siteground.

    I took a look at the link you provided and your directions. That seems to make sense and I will have to give it a try! I’d recommend that you guys provide this as a tutorial for cloning sites to save support hassles for your company.

    At this time, I have already deleted the cloned site as I figured it would be better to start from the beginning. My apologies for not being able to help more with the error messages.

    Plugin Support wfscott

    (@wfscott)

    Thanks for the feedback, we appreciate it.

    Here is our documentation for optimizing on SiteGround: https://www.wordfence.com/help/firewall/optimizing-the-firewall/#alternative-hosting-provider-setups

    You can follow that. Also, below I will put the instructions I often use for SiteGround optimization:

    First to your cPanel and go to PHP Variables Manager. Click the subfolder that your current WordPress site is located in there. If it is in public_html, click that. If the site is installed in public_html/site2, you’ll see a folder for site2. Click that. If you have multiple sites, optimize the sub-sites first and then parent sites (public_html) last.

    After clicking on the folder with your WordPress installation, you will then see a field where you can enter a variable. Enter: auto_prepend_file there and click add. You will see a new field come up for auto_prepend_file where you can enter a path. We will return here in a second.

    In a new tab, go back to your site and goto Wordfence > Firewall > All Firewall Options. Click the Optimize the Wordfence Firewall and then click the dropdown box and select Manual Configuration at the bottom, then continue. You will then see something similar to this:
    auto_prepend_file = ‘/home/sitename/public_html/subfolder/wordfence-waf.php’
    Just copy the path inside the single quote symbols, in my case, /home/sitename/public_html/subfolder/wordfence-waf.php

    Go back to your PHP Variables Managers tab and paste that path (/home/sitename/public_html/subfolder/wordfence-waf.php) into the auto_prepend_file field and click the checkbox for Apply changes to all sub-directories? and click Save. Make sure the confirmation screen has no errors, then go back to your site and refresh it. You should be at 100%.

    Thread Starter Superpigdots

    (@natip100)

    I tried following the directions to remove the extended protection. I gives this message when I go through the steps:

    “Extended Protection Mode has not been disabled. This may be because auto_prepend_file is configured somewhere else or the value is still cached by PHP. Retrying Failed. Try Again”

    Trying again repeats the same message. It offers no solution nor a link to one and I can’t find any whatsoever online either. Please help me with this.

    Plugin Support wfscott

    (@wfscott)

    @natip100

    Please check the php.ini file directly in the site’s root and see if you’re seeing an auto_prepend_file declaration pointing to the wordfence-waf.php file. If so, make a backup of the file, then remove the auto_prepend line in its entirety and save the file. That should then remove the optimization.

    Please let me know if you’re seeing that there.

    Scott

    Thread Starter Superpigdots

    (@natip100)

    Thank you so much! I first deleted that entry in the php.ini and Wordfence then showed not optimized on my main site. Then I cloned the site. Then I followed your php file directions for the php variables manager. I entered the clone site Wordfence value for the clone site sub-directory and checked apply to all sub-directories. I then followed the same steps but used the main site values given in that Wordfence and the main directory php variables area. After doing this, I was left with Wordfence Firewall optimized on both the sub-directory cloned site and also the main site with absolutely no error messages. Thank you so much! You have been a great help!

    Plugin Support wfscott

    (@wfscott)

    @natip100,

    Thanks for letting me know!

    Please don’t hesitate to reach out if you have any further questions.

    Scott

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘How to setup a staging site with Wordfence’ is closed to new replies.