WP on Ubuntu 22.04 w/ Apache Server – .htaccess WAF entry breaks site

  • Resolved fjhookah

    (@fjhookah)


    2 years, 1 month ago

    Note: Ubuntu, Apache2, php, mysql, WP and WF are on the latest release versions. Hi, I’m setting up a new self-hosted website on an Ubuntu 22.04 server running Apache2 with a new fresh install of WordPress. My config makes use of the .htaccess file. I’ve had WordFence installed for a few days in learning mode. Tonight, I changed the Firewall to extended protection after making options/settings adjustments in the plugin. The WF plugin adds the following to my .htaccess file within the site’s WordPress directory;

    # Wordfence WAF
<IfModule mod_php5.c>
        php_value auto_prepend_file '/var/www/mydomain.com/wordpress/wordfence-waf.php'
</IfModule>
<IfModule mod_php7.c>
        php_value auto_prepend_file '/var/www/mydomain.com/wordpress/wordfence-waf.php'
</IfModule>
<IfModule mod_php.c>
        php_value auto_prepend_file '/var/www/mydomain.com/wordpress/wordfence-waf.php'
</IfModule>
#<Files ".user.ini">
#<IfModule mod_authz_core.c>
#       Require all denied
#</IfModule>
#<IfModule !mod_authz_core.c>
#       Order deny,allow
#       Deny from all
#</IfModule>
#</Files>

# END Wordfence WAF

    You have likely noticed that I’ve commented out the <Files “.user.ini”> section, because it breaks my site with a 500 error stating a misconfiguration problem. The WF Firewall dashboard still shows that my protection level is Extended even without the <Files “.user.ini”> .htaccess entry active. I don’t have a .user.ini file in my site’s directory (the location of my .htaccess file). I’m using php v8.1. My php.ini shows that the “auto_prepend_file | /var/www/mydomain.com/wordpress/wordfence-waf.php | no value” setting is accurate. I’ve confirmed that my php.ini is the active and correct file being used by WordPress.

    Please help me understand why the plugin is adding the <Files “.user.ini”> section to my .htaccess file, and also, why that section breaks my site completely. Lastly, I have confirmed that my Apache2 passes the configtest. With the <Files “.user.ini”> commented out, my site runs as expected. I’m all out of troubleshooting options. ?? I appreciate any advice or clarification you can offer.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @fjhookah and thanks for reaching out to us!

    The line you’re seeing is added to the .htaccess file hide the .user.ini file from being viewed publicly on your site, as a security measure. Strange that it is causing your site to crash because if the file didn’t exist, which on your set up it looks like it doesn’t, it should just not do anything. A diagnostic might help me look into this issue more.

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks again!

    Thread Starter fjhookah

    (@fjhookah)

    Hi Adam,

    The diagnostics report has been submitted. In my .htaccess file, the WAF statement for the Files .user.ini issue, it’s the “Require all denied” that breaks my site. Keep in mind, my system doesn’t even use cgi/fastcgi, which means it does not make use of .user.ini file. Why would WAF not know that during its installation? ??

    Plugin Support WFAdam

    (@wfadam)

    Thanks for sending that!

    Looking at the diagnostic, your site should be set up as Apache + mod_php (Apache 2.0 Handler). Which would mean you would ONLY need the following:

    This goes in the .htaccess but %d needs to be replaced with an integer (PHP branch number)

    NOTE: PHP 8 does not require an integer, see example below.

    # Wordfence WAF
    <IfModule mod_php%d.c>
    php_value auto_prepend_file ‘/path/to/wordfence-waf.php’
    </IfModule>
    # END Wordfence WAF

    Example for PHP 7:

    # Wordfence WAF
    <IfModule mod_php7.c>
    php_value auto_prepend_file ‘/path/to/wordfence-waf.php’
    </IfModule>
    # END Wordfence WAF

    Example for PHP 8:

    # Wordfence WAF
    <IfModule mod_php.c>
    php_value auto_prepend_file ‘/path/to/wordfence-waf.php’
    </IfModule>
    # END Wordfence WAF

    Anything else that is present, can be removed, including the .user.ini mention.

    The setup wizard for the WAF optimization is about 95% accurate when it detects the Server API but sometimes if it isn’t sure, it will default to CGI/FASTCGI, which is what I am assuming happened in your case.

    Let me know if this resolves your issue.

    Thanks again!

    Thread Starter fjhookah

    (@fjhookah)

    Aye, I have kept the <Files “.user.ini”> section commented out since the issue first happened. Thanks for looking into the issue.

    Plugin Support WFAdam

    (@wfadam)

    Anytime! Just let us know if you have any other questions. We would be glad to assist.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WP on Ubuntu 22.04 w/ Apache Server – .htaccess WAF entry breaks site’ is closed to new replies.