WF related problems moving to shared hosting – Feedback and a question
-
First, let me say that I really do love Wordfence and I respect the work you guys do. What I’m about to say is not meant to be harsh, just feedback from my experience and how WF made it harder to do the work I needed to do and in the hopes that others who search can find this instead of having to reinstall their sites or take other drastic steps and maybe to let the WF developers know more about what’s breaking the uploads folders for some people.
This weekend, I moved 2 wordpress sites from my dedicated server to a shared webhosting package. During the move, wordpress was upgraded to 4.52 from I think it was 4.51. Wordfence was also upgraded to 6.1.6 and Jetpack was also upgraded.
As I tried to fire up the site for the first time, I got the White Screen of Death. The first thing I did was rename the plugins and themes directories. Then I moved on to a bunch of the other reasons for the WSOD and was about to replace some directories but then remembered the error logs I’d seen in the cPanel. Searching through the error logs, I saw a reference to a path from the old server. Something hard coded.
I did a search and found it in .user.ini which referred to wordfence-waf.php Upon changing it to a valid path, the site came back up immediately. This is a little unfriendly for a number of reasons. Anyone who changes hosts, or even if I’d done a rebuild on my own server and the path had changed, it would have broken. I think I get the reason that this is done – so that it’s (one of) the first things loaded for security sake but it’s pretty fragile and can (and did) take a whole site down – even with the plugins “disabled”.
Now that the site was up, I had everything working except for photos. After exhausting the usual suspects (and trying to work through the differences between my Ubuntu Linux setup and their Ubuntu Linux setup), I finally found another error log. This one was complaining about:
"Invalid command 'php_flag', perhaps mis-spelled or defined by a module not included in the server configuration"The offender was the .htaccess file in uploads. Now, there were 2 entries in this file – one looks like it comes from WF and one might not? The problem with using this flag is that while it worked on my dedicated server, the shared hosting uses suExec or suPHP – and this code is not allowed in .htaccess.
In order to bring the site up, I commented the first occurrence but the one in the if statement seemed not to make the site panic.
php_flag engine off <Files *.php> deny from all </Files> # BEGIN Wordfence code execution protection <IfModule mod_php5.c> php_flag engine 0 </IfModule> AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI # END Wordfence code execution protectionbecame
// php_flag engine off <Files *.php> deny from all </Files> # BEGIN Wordfence code execution protection <IfModule mod_php5.c> php_flag engine 0 </IfModule> AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI # END Wordfence code execution protectionI get why it’s not in a php.ini – the contents of php.ini are not inherited into sub-folders and would make it moot but this code the way it is has the potential to break a lot of sites like it did mine. Is there any other way to implement this and how have I compromised the protection/security of my sites?
Resources I used to figure this out:
https://forums.glowhost.com/knowledge-base/error-php_flag-php_value-errors-how-fix-them-721.htmlThe second paragraph here talks about the lack of inheritance:
https://forums.cpanel.net/threads/invalid-command-php_value-perhaps-mis-spelled-or-defined-by-a-module-not-included.184931/
- The topic ‘WF related problems moving to shared hosting – Feedback and a question’ is closed to new replies.
