Optimize Wordfence Manually for Lighttpd

Hello @beeblebrox-bsd and thanks for reaching out to us!

Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

I will be able to see where you are at in the process.

Thanks!

Hi & thanks for the answer.

Diagnostic report emailed. I had to expand the report and copy/paste the contents. I hope this is adequate.

Regards.

Could you send the report directly from the Diagnostic screen? The one you provided is missing all the PHP information that I will need to help guide us to optimizing.

If you go to the Wordfence > Tools > Diagnostic screen you should see “send Report by Email”

Thanks!

Hi, Thanks for trying to help.

I’m pretty sure my service blocks outbound port 25. Wordfence “Send a test email from this WordPress server to an email address” returns false as well. So, I’m unable to directly send the email to you.

I generated a report from the link “Click to view your system’s configuration in a new window”, and sent that as an HTML single-page.

Regards.

Got it that time! Thanks @beeblebrox-bsd

It says your Server API is FPM/FastCGI and the default configuration for FastCGI should work. If you want to do it from the Wordfence plugin, navigate to Wordfence > Firewall > Optimize the Firewall and in the pop up select Apache + FastCGI, download the htaccess and user.ini back ups and then complete the process. If you want to manually do it, you will have to add this code to your user.ini and htaccess:
Add this to your user.ini:

; Wordfence WAF
auto_prepend_file = '/path/to/waf/wordfence-waf.php'
; END Wordfence WAF

Make sure to edit the path to point at your wordfence-waf.php, which is in the root directory.

Add this to your htaccess:

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF

Then wait a few minutes and refresh your Wordfence > Firewall page and see if the optimization worked.

On some sites with PHP FPM we do sometimes see situations where the settings are being overridden. This is from our documentation:

In rare cases, when a host uses PHP-FPM, they may have PHP settings defined in a “pool” file. These settings can override options set in your custom php.ini or .user.ini file. You may need to ask the host if they have settings in the pool file. The default location for the pool file on new Ubuntu servers is similar to /etc/php/7.0/fpm/pool.d/www.conf (depending on the PHP version) and an example of an option that would override your auto_prepend_file option is php_admin_value [auto_prepend_file] = none. If the host is able to remove this option, it should allow your settings to be used for the firewall.

So at that point, I would recommend that you reach out to your host and ask them this:

I need to set a PHP value auto_prepend_file on my site but it doesn’t seem to be taking effect. Can you explain how to set auto_prepend_file on my site?

Hopefully, they’ll be able to give you an idea of why it’s not working. If you have any questions, let me know!

Thanks!

Thanks for the answer,

Add this to your htaccess:

Since most non-Apache servers (Lighttpd, Nginx) don’t support .htaccess settings, are you saying that php-fpm actually processes settings in that file? I cannot find any meaningful discussion on that, and it doesn’t make much sense to me that php-fpm would process .htaccess independently from the HTTP server.

Also, Lighttpd does not have or make use of mod_authz_core.c

Would appreciate if you could clarify. Thanks.

• This reply was modified 3 years, 10 months ago by Beeblebrox-BSD.
• This reply was modified 3 years, 10 months ago by Beeblebrox-BSD.

We actually don’t have any documentation on Lighttpd yet. I did some research on it though.

Let’s leave out the htaccess bit and let’s try the php.ini file. Create a php.ini or add this to the current one in the root directory:

; Wordfence WAF
auto_prepend_file = '/path/to/waf/wordfence-waf.php'
; END Wordfence WAF

Make sure to adjust the path to your current wordfence-waf.php path which should reside in your root directory alongside your php.ini file.

Let me know how this goes!

Thanks for your help!

Hi,
I had already made the change to /etc/php/7.3/fpm/php.ini as:

; Wordfence WAF
auto_prepend_file = '/var/www/html/wp-content/plugins/wordfence/wordfence.php'
; END Wordfence WAF

I’m unable to find answers to these 2 Q’s in your documentation:
1. How do I see/test whether the WF optimization has worked?
2. Also, is there a hardening settings for the free/evaluation version of WF?

Thanks and Regards.

• This reply was modified 3 years, 10 months ago by Beeblebrox-BSD.
• This reply was modified 3 years, 10 months ago by Beeblebrox-BSD.

Here is an answer to your questions:
1. How do I see/test whether the WF optimization has worked?
There are two ways you can check this:

• Navigate to Wordfence > Tools > Diagnostics and open the section labeled Wordfence Firewall. You will see WAF Auto Prepend Active which should equal YES if the firewall is optimized.
• You could also visit your Wordfence > Firewall page and check the far left percentage. For free users, you should be right around 55% if optimized. If you hover over the number it will tell you what you can do to boost that number, if optimize isn’t listed, you should be set.

2. Also, is there a hardening setting for the free/evaluation version of WF?
For Hardening settings, I recommend following along in our guide:
https://www.wordfence.com/learn/how-to-harden-wordpress-sites/

Let me know if that worked!

Thanks!

Hi,
Thank you again, and apologies for such a lengthily discussion.
Here’s what I see under “Current WAF configuration” section:

WAF auto prepend active     No
WAF storage engine (WFWAF_STORAGE_ENGINE)    (default)
WAF log path    ~/wp-content/wflogs/
WAF subdirectory installation    No
wordfence-waf.php path
WAF File Permissions    0600 - using template
Recently removed wflogs files    None

Notice that wordfence-waf.php path is unset. Perhaps therein is the problem?

At this point, I think its best if you reach out to your host and pose this question to them:

“I need to set a auto_prepend_file value to point at my wordfence-waf.php file in the root directory of my installation. Is that to be set with a php.ini or user.ini file? If so, can you verify that my current file is set correctly.”

If you think you have the file set currently, and you are able to log in without any issues, it makes me think the auto_prepend_file value isn’t being set correctly, for it would typically block you out if not set correctly.

Let me know what they say!

Thanks!

Hi,
Hosting platform said:
“Why are you asking us? You’re on a self-hosted VM with full O/S root access”

Again, I have full O/S root on a Debian-based VM (I do not mean WP web-app root). Therefore instructions on how to link to, to or build wordfence-waf.php (whatever that is) are needed. File name search for wordfence-waf.php under /path/wordpress/wp-content/plugins/wordfence does not find any such file.

Also: From simple search, it seems `wordfence-waf.php’ might be a front-end to Linux firewall through scripts? If this is true, I might prefer to use other solutions since I have full root on the O/S.

Thanks and Regards.

So again to clarify,
* This WP setup is on a Cloud instance running Linux O/S
* Think of this particular case as installed on Localhost, then exposed to the internet.
* I cannot find any file named wordfence-waf.php. The only files having anything to do with “waf” are listed below. Where do I find wordfence-waf.php?

./wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
./wp-content/plugins/wordfence/lib/menu_firewall_waf.php
./wp-content/wflogs/config-livewaf.php

Regards.

Sorry for the late response @beeblebrox-bsd

I have been trying to do some more research on your set up.

Checking back into your diagnostic, the wordfence-waf.php seems to have never been created. It should reside in your root directory where the htaccess file is as well.

Try to reinstall the plugin and let’s see if the wordfence-waf.php populates. It should be installed when the plugin is installed. It looks like your read/write permissions are correct but just ensure nothing is blocking files from being inserted from the plugin.

Let me know what you find!

Thanks!

Hi.

Try to reinstall the plugin and let’s see if the wordfence-waf.php populates

I had already done that prior to your answer – nothing different happened.

Multiple .htaccess files are located under the top level folder worpressp/wp-content/plugins/wordfence, but no wordfence-waf.php.

1. From your comment, am I to gather that wf-waf.php gets created on the end point post install, and does not come pre-packaged in the download?
2. Can you send me an example of that file? I can’t find anything through search.

Regards.