caseybea
Forum Replies Created
-
I may have to go ahead and force this in php.ini but that makes me super unhappy.
Because with that, the firewall now cannot be “managed” (enabled, disabled) without stopping php and disabling it in php.ini and restarting everything.
And I also do not know what the effect of having that auto_prepend in php.ini will have on OTHER php code (non-wordpress) that our site serves up.
I wonder, with all the complexities that php-fpm introduces, if wordfence can’t manage this some other way in the future. This was all a non-problem and all worked perfectly when using the older apache php handler. But php-fpm is a bit more tricky…..!
Then it appears my setup– (apache home not the same as wordpress home, which is a perfectly valid setup), and php-fpm is unusable. Wow.
With plugins and themes and such, there’s almost a thousand dirfectories.
Well the soft link works better than actual files because then if the firewall needs to be disabled it works.
Is putting it just in wp-admin enough to ensure the firewall is always working?
Of course the long-term solution is using the CONTEXT root not document root. But you said we can’t do that until PHP8. Oy.
Is there a directory that I can place an additional .user.ini (or a link) that wordfence WILL see in my case? ie, in /wp-admin or…?
========================
EDIT: Taking a shot in the dark, in /wp-admin I created a soft link to the full real path to the .user.ini.
Wordfence now recognizes the enhanced protection and it seems that works.
- This reply was modified 4 years, 4 months ago by caseybea.
Also, I would like to revisit my question about what I mentioned before: In that the other wordfence diagnostic which DOES show the auto_prepend working (which means, the .user.ini was read)
So, it feels like to me that wordfence’s environment behavior is a bit inconsistent, depending on what script is running.
THIS wordfence diagnostic
shows the auto_prepend is ok:
wordfence… tools… diagnostics… other tests… SHOW SYSTEM INFO)Yet, this wordfence diagnostic shows it’s not working:
wordfence… tools… diagnostics… EXPORT (or email)So why does one work, and the other does not?
This seems to be totally inconsistant…..
The apache document root and the wordpress roots are different.
I am editing the following with slightly changed names here:
from the diagnostics I see:
$_SERVER[‘SCRIPT_FILENAME’] /mysite/wordpress/wp-admin/admin-ajax.php
$_SERVER[‘SERVER_ADMIN’] root@localhost
$_SERVER[‘CONTEXT_DOCUMENT_ROOT’] /mysite/wordpress
$_SERVER[‘CONTEXT_PREFIX’] /wordpresshome
$_SERVER[‘REQUEST_SCHEME’] https
$_SERVER[‘DOCUMENT_ROOT’] /mysite/wwwIn our case, “/mysite/www” is indeed the APACHE document root, but all the wordpress stuff lives in: “/mysite/wordpress”. The wordpress stuff is all accessed via https://mysite.com/wordpresshome/….
The CONTEXT ROOT is correct.
Is there a way I can force php to look elsewhere than the “DOCUMENT_ROOT” ?
(note it’s just “www.conf” without any http— the forum editor did that)
OK, I am honestly stuck here.
Per the wordfence packed-up (export or email) diagnostics, I see that no, the auto_prepend is not there. BUT: If I look at my system config this way: Wordfence.. Tools… Diagnostics… Other Tests… “Click to see your system’s configuration”, I get a phpinfo display that **DOES** show the prepend correctly.
(here’s the line copied from the displayL)
auto_prepend_file /rgd/wordpress/wordfence-waf.php no valueI am enclosing both my php.ini and https://www.conf files and you’ll see I do not do have the prepend set or overridden here.
I welcome any ideas…..
PHP.INI (with comment lines removed)
===================================
[PHP]
short_open_tag = Off
user_ini.filename = “.user.ini”
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 100
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = Off
variables_order = “GPCS”
request_order = “GP”
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 100M
auto_append_file =
default_mimetype = “text/html”
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 100M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
extension=oci8.so
[CLI Server]
cli_server.color = On
[Date]
date.timezone = America/Chicago
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = “%Y-%m-%d %H:%M:%S”
ibase.dateformat = “%Y-%m-%d”
ibase.timeformat = “%H:%M:%S”
[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=fakeentry”
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatability_mode = Off
mssql.secure_connection = Off
[Assertion]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir=”/tmp”
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]https://www.conf (with comment lines removed)
[www]
user = apache
group = apache
listen = /run/php-fpm/www.sock
listen.acl_users = apache
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcacheI don’t have the prepend set in EITHER php.ini or the php-fpm pool. It’s a fairly simplistic setup.
And oddly enough, accessing a phpinfo (via web browser) I plopped in the wordpress directory DOES show the auto prepend file correct, yet the internal WAF diagnostics do not.
I will poke around and try to figure out why the prepend from .user.ini is not working. At least I can see from “within” wordfence the diagnostics which may help
I’ll keep yu posted
Peter- thank you for taking the time to assist.
I just sent the report.