What IS the Wordfence Web Application Firewall?
The Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website. Powered by the Threat Defense Feed, it is automatically updated with new firewall rules that protect you from the latest threats. Even if you are running a vulnerable plugin or theme, Wordfence will protect you from being hacked by blocking attacks based on known and constantly updated attack patterns.
Wordfence protects you from new and emerging threats
The Wordfence Forensic Lab is constantly adding new firewall rules to the Threat Defense
When the Wordfence Web Application Firewall is first installed, at the top of WordPress admin pages, you will see “To make your site as secure as possible, take a moment to setup the Wordfence Web Application Firewall.”
When you click the “Click here to configure” button, the setup page will detect the server configuration for your site. You should not need to change this option, but you can, if you know that your server configuration is not detected correctly. Click the Continue button.
The next page may recommend downloading one or more files (.htaccess and .user.ini) for backup purposes, in case your host does not support this setup. You can upload the backup files to your site if there are any problems. Once you have downloaded the files, you can click Continue to complete the setup.
On some hosts, you may have to wait up to 5 minutes, for the change to take effect.
Solutions to Error Messages and Setup Issues
SiteGround and other hosts without .user.ini support
If the “Click here to configure” button still appears after completing setup and waiting about 5 minutes, your host may not use the typical configuration files, such as .user.ini.
On SiteGround other other similar hosts that use cPanel:
- After attempting the installation, click the “Click here to configure” button again
- Look at the line that says something like: auto_prepend_file = ‘/home/username/public_html/wordfence-waf.php’
- Copy the “path” that appears between the quotes – yours will be different. In this example: /home/username/public_html/wordfence-waf.php
- Go to your site’s cPanel, and click the PHP Variables Manager icon
- Click the link that says “public_html”
- Enter “auto_prepend_file” as the variable name, and paste the path that you copied
- Turn on the checkbox “Apply changes to all sub-directories” and click Save
If the site will not load properly, check the path you pasted to be sure there are no extra letters, quotes, slashes, etc. in the PHP Variables Manager. If it still will not work, you can try deleting the path and saving the settings, to return the site to its previous state and try again.
Using php.ini with multiple sites on a single hosting account
If you have multiple sites on a single hosting account and need to use php.ini like in the cases above, you may need to add a similar php.ini file for each additional site, in each site’s subdirectory. In this case, you may also need to add code like this in each additional site’s .htaccess file, to tell PHP which php.ini file to use:
SetEnv PHPRC /home/user/public_html/sitename/php.ini
You will need to adjust the path for your site and the site’s directory name, before adding this to the .htaccess file. If the subdirectory site’s .htaccess file already has a similar line, this change may not be needed.
Note: Some hosts may require PHPRC to show the path without “php.ini” at the end.
Other security plugins
Some security plugins can change permissions of files and directories. If you have a security plugin that does that, you can temporarily turn off those options, run the firewall setup, then re-enable those options. When these features are enabled, you may see the messages in the Error messages section.
If you see error messages about file permissions, check if you have another security plugin that changes permissions, and temporarily set the files or directories to be writable. If you have previously set file permissions manually, make sure that the web server user can write to these files or directories temporarily.
This only needs to be done during the initial firewall setup process, so you can re-enable other security measures after setup is complete.
Possible error messages include:
- We were unable to create the wordfence-waf.php file in the root of the WordPress installation
- This means that new files cannot be written to the main folder of your site
- We were unable to make changes to the .htaccess file.
- Check to make sure that the .htaccess file can be written by the web server user, and then try the process again
- We were unable to make changes to the .user.ini file.
- Some server configurations need this file in addition to .htaccess
- Some hosts may use a different filename
- If you don’t already have the file mentioned in the message, make sure the main folder of the site is writable
Each of these issues can be solved by temporarily disabling permissions changes made by other security plugins, or by manually adjusting permissions.
Other installation issues
If you have other security measures that prevent the necessary files from being updated, or if you have manually set file permissions, you can set up the firewall manually. When you click the “Click here to configure” button, follow the directions at the bottom of the page below the Alternate Method heading.
Depending on your server configuration, you may be prompted to create wordfence-waf.php, and edit or create .htaccess or .user.ini files in the site’s main directory.