WAF auto prepend

Hello @chucknology and thanks for reaching out to us!

Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

I should be able to see where you are in the process and what we need to do to complete it.

Thanks!

Diagnostic report has been sent successfully.

Thanks for sending that diagnostic @chucknology

Looks like your Server API is CGI/FastCGI. In order to optimize the firewall, we will have to do the following:

This code will go in your user.ini(should be in the root directory along side your htaccess and wordfence-waf.php) file:

; Wordfence WAF
auto_prepend_file = '/path/to/waf/wordfence-waf.php'
; END Wordfence WAF

You will want to edit the path to the wordfence-waf.php. If you are unsure of the path, you can check your Wordfence > Tools > Diagnostic page in the Wordfence Firewall section.

This goes in .htaccess:

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF

Once these are in place, your WAF should then be optimized. Let me know what you find or if you have questions!

Thanks!

Hi,

I checked on my server but I don’t have a user.ini file. Not in my root, neither in my subdirs where I have wordpress installed (with subdomains).

If it currently doesn’t exist, you could create it. Its actual name will be “.user.ini”

Let me know what you find!

Thanks!

Unfortunately it doesn’t change a thing.
I received this from my hosting company Hetzner:
You can’t edit the php configuration in any user.ini files. Please use the .htaccess line I’ve sent you before to set the auto_prepend_file value. You need to add the path to wordfence-waf.php in as the value.
What they send me before:
you should be able to do that by adding this to your .htaccess file:
—————–%<—————–
php_value auto_prepend_file “./file.php”
—————–%<—————–

What host are you using, if you don’t mind me asking?

Let’s try to set that in the htaccess file at their recommendation. Make sure to change the ./file.php to the file path of your wordfence-waf.php file.

Let me know how this goes! I am excited to see the results.

Thanks!

I have recently set up an installation of WordPress on a Hetzner host and confirm that this works. I put that line first in .htaccess and set the correct path to wordfence-waf.php.

@xenein did you use the complete path starting with ‘/usr/www/users’ and so on and do you have your wp installed in a subdir?

@wfadam I’m at Hetzner hosting company. I already used the following:

php_value auto_prepend_file “/path/mentioned/in/tools/section/wordfence-waf.php”

or do I need th eone with the point?
php_value auto_prepend_file “./path/mentioned/in/tools/section/wordfence-waf.php”

Stumbled suddenly upon the following:
Had to put the code in between following tags in my .htaccess:
<IfModule lsapi_module>

</IfModule>

It works now.

shouted too soon victory.
after adding the code it showed Yes in WAF auto prepend active and the message ‘optimize the firewall’ was gone. After a refresh the value WAF auto prepend active changed back to no…..waiting on Hetzner now with a solution…….

@chucknology yes, full path. WordPress is located in the document root. So, not a subfolder, but that should not make much of difference?

my wordpress is installed in a subdir. so I inserted the full path to this dir as mentioned in wordfence tools diagnostics like: /usr/www/users/……