My own auto_prepend_file is not included

  • Resolved jqz

    (@jqz)


    2 years, 12 months ago

    During set-up, WordFence detected that I already had an auto_prepend_file and offered the option to include that or not. I selected to include it.

    However, I now find it is not being included.

    I also cannot find any option in the settings to let it be included, or specify it.

    How can I include my own auto_prepend_file as well as yours?

    • This topic was modified 2 years, 12 months ago by jqz.

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @jqz, thanks for getting in touch.

    The include option should work with any file, it’s done by replacing the auto_prepend_file value with the path to wordfence-waf.php as usual, but wordfence-waf.php will now have a line that now includes the file you previously had there, before the rest of the WAF code.

    Your original code will still run before the WAF, just in a different way now. Can I confirm whether this is present in your wordfence-waf.php?

    Thanks,

    Peter.

    Thread Starter jqz

    (@jqz)

    My original file is not being included by wordfence-waf.php, which looks like this:

    <?php
// Before removing this file, please verify the PHP ini setting <code>auto_prepend_file</code> does not point to this.

if (file_exists(__DIR__.'/wp-content/plugins/wordfence/waf/bootstrap.php')) {
	define("WFWAF_LOG_PATH", __DIR__.'/wp-content/wflogs/');
	include_once __DIR__.'/wp-content/plugins/wordfence/waf/bootstrap.php';
}

    Should I just add an include for my file at the top of it, or is there some setting within the admin UI that would do this?

    • This reply was modified 2 years, 11 months ago by jqz. Reason: markdown doesn't work
    • This reply was modified 2 years, 11 months ago by jqz. Reason: Fix code snippet broken by editor
    Plugin Support wfpeter

    (@wfpeter)

    Hi @jqz,

    The “include” option should have done this, as I’ve never seen it fail before. It could be linked to previously optimizing the WAF and now have a permissions issue, so wordfence-waf.php can’t be overwritten. Permissions on your WordPress site’s directories should be 755 and the owner on your WordPress root directory (and all contained directories) should be www-data.

    You are perfectly safe to add the include or include_once code yourself to the top of wordfence-waf.php if there’s no other way around this. The scripts will be then loaded as intended originally so your custom script should now work.

    Thanks,

    Peter.

    Thread Starter jqz

    (@jqz)

    I have found out why my original auto-prepend file was not being included.

    This is because it sets open_basedir though does not itself reside within one of the allowed paths it sets.

    Then when wordfence::getWAFBootstrapContent() checks that the file exists, is_file() returns false and the include_once is not added. (Given that the include_once is itself wrapped by file_exists(), I’m wondering if the is_file() test before adding it is actually necessary, as it causes the issue in this, albeit unusual, sitation.)

    Plugin Support wfpeter

    (@wfpeter)

    Hi @jqz,

    Thanks for the update, I really appreciate the troubleshooting you’ve gone to in order to find this out. I will pass the information forward to the development team, although here on the forums cannot discuss whether changes to the plugin will definitely be made.

    Thanks,

    Peter.

    Plugin Support wfpeter

    (@wfpeter)

    Hi again @jqz,

    I did pass this on and received some extra information that may be helpful:

    The is_file() call isn’t the only issue as the include won’t work if the original file is outside of open_basedir at that point. You may have to edit wordfence-waf.php and remove the attempt to include your file, set auto_prepend_file to point to your own file again, and have that file include_once 'wordfence_waf.php'.

    I hope that helps you out.

    Thread Starter jqz

    (@jqz)

    Hi @wfpeter,

    Thanks to you and your team for giving this consideration, and for the feedback.

    It’s a bit chicken-and-eggy, if you see what I mean.

    The is_file() call isn’t the only issue as the include won’t work if the original file is outside of open_basedir at that point.

    It isn’t at that point. It is itself the file that sets open_basedir, whereafter access to most of the filesystem is restricted. (I assume WordFence employs similar damage limitation.)

    I have inserted the code that should have been at the top of wordfence-waf.php:

    if (\file_exists('/home/username/public_html/autoprepend.php')) {
	include_once '/home/username/public_html/autoprepend.php';
}

    I can confirm this seems to work fine.

    FI: My own file has two purposes:
    1. Set open_basedir for damage limitation should one site be breached (with multiple sites on shared hosting);
    2. Set error_log based on hostname (this works once again).

    I would maintain that the is_file() test is a excessively redundant. I think the best solution would be for the UI/UX on installation to say something like “You already have an autoprepend file, but WF can’t access it. Are you sure it exists, and you want WF to include it?”

    • This reply was modified 2 years, 11 months ago by jqz.
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘My own auto_prepend_file is not included’ is closed to new replies.