Optimizing The Firewall

The Wordfence Firewall has a feature that allows the Firewall to be loaded before any other code loads. This provides the highest level of protection and we refer to this as "extended protection". In order to get extended protection, you have to go through a short configuration procedure.

Basic WordPress Protection vs. Extended Protection

When you first install Wordfence on your website Basic WordPress Protection will automatically be activated. The plugin will load as a regular plugin after WordPress loads. While it can block many malicious requests, some vulnerable plugins or WordPress itself may run vulnerable code before all plugins are loaded. Additionally, attackers can access some plugin, core, or theme files directly, and in that case, your server will not load the firewall to protect you.

In the optimization process, Wordfence changes the PHP configuration to allow the firewall to load on your site before WordPress or any other PHP files that may be directly accessible. Depending on your server’s configuration, this may require changes to the files .htaccess, .user.ini, or php.ini. Wordfence first prompts you to download backup copies of these files before they’re modified, in case the server is configured in a way that the changes will not work. Once you complete the optimization steps, the firewall will process all PHP requests. You now have Extended Protection.

Firewall Optimization Setup

When you first install the Wordfence Web Application Firewall, at the top of WordPress admin pages, you will see: “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:” Click the “Click here to configure” button.

You are now taken to the Firewall Options page which will display the “Optimize Wordfence Firewall” dialogue. The correct optimization server configuration will be automatically selected for you. You should not need to change this option, but you can, if you know that it’s not detecting your server configuration correctly. (If you are on a host that does not support any of our default configurations you will have to select the “Manual configuration” option. If you are on SiteGround hosting, we recommend manual configuration. For further instructions, see Alternative Setups below.)

Click to download backups of .htaccess and/or .user.ini if you are prompted to do so. If you run in to any issues during the Optimization procedure, you can use FTP/SSH or any file manager your web host may be providing to upload the backup files to the root of your WordPress installation to undo what the configuration did. Once you have downloaded the files, you can click “Continue” to complete the setup.

Your setup should now be complete. On some hosts, you may have to wait up to 5 minutes for the change to take effect.

If you don’t want to set up the firewall right now, you can dismiss the notice. Setup will still be available on the Firewall page if you want to set up Extended Protection in the future.

Alternative Setups

On SiteGround and other similar hosts that use cPanel:

Some hosts do not support the use of .user.ini files. This does not occur on all cPanel hosts, but only those with specific configuration. For these hosts, you can optimize the firewall manually by setting the PHP value auto_prepend_file directly in your php.ini. Please note that the instructions for manual setup in this section are for Wordfence versions 7.1.2 and higher. If you are using an older Wordfence version, contact Wordfence support for assistance.

After attempting the installation on SiteGround and similar hosts the Firewall file “wordfence-waf.php” will be created in the site’s root, but you will see a notice that the firewall is still not optimized. To complete Manual Configuration

1. Click again to “Optimize the Wordfence Firewall”.

2. Select “Manual Configuration” and press “Continue”.

3. Take note of the auto_prepend_file file path displayed.

4. Go to your site’s cPanel, and click the PHP Variables Manager icon

5. Click the link that says “public_html”

6. Enter “auto_prepend_file” as the variable name, click the “Add” button, and then enter the path to wordfence-waf.php

7. Turn on the checkbox “Apply changes to all sub-directories” and click Save.

Click here for screenshots that demonstrate steps 4-7 above.

If the site will not load properly, check the path you entered to be sure there are no extra letters, quotes, slashes, etc. in the PHP Variables Manager. If it still will not work, you can try deleting the path and saving the settings to return the site to its previous state and try again.

Using php.ini with multiple sites on a single hosting account

If you have multiple sites on a single hosting account and need to use php.ini as described in the previous section, you may need to add a similar php.ini file in each individual site’s subdirectory. In this case, you may also need to add code like this in each additional site’s .htaccess file, to tell PHP which php.ini file to use:

SetEnv PHPRC /home/user/public_html/sitename/php.ini

You will need to adjust the path for your site and the site’s directory name before adding this to the .htaccess file. If the subdirectory site’s .htaccess file already has a similar line, this change may not be needed. Note: Some hosts may require PHPRC to show the path without “php.ini” at the end.

Hiding .user.ini if your server runs NGINX

The .user.ini file that Wordfence creates can contain sensitive information, and public access to it should be restricted. If your server runs NGINX you have to do this manually. Append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
deny all;

If your WordPress installation resides in a subdirectory, you should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
deny all;

Removing The Optimization

Removing the optimization will remove the Firewall files in /wflogs/ and the code installed in .htaccess and .user.ini. On the Firewall Options page under Protection Level click the button that says Remove Extended Protection. This will prompt you to save backups of relevant files, and then will remove the Wordfence firewall portions of those files automatically. Depending on your server’s configuration, it may ask you to wait for a 5-minute delay to wait for a specific type of cache to expire on your server.

Alternately, you can remove the firewall setup files and related code by enabling “Delete Wordfence tables and data on deactivation” near the bottom of the Wordfence options page, and then deactivating Wordfence. This method will reset Wordfence’s options entirely after you reactivate it, since it removes all Wordfence tables and data.

Important: If you have preformed a manual configuration via cPanel as described in the Alternative Setups section above, you need to remove the auto_prepend_file value from the PHP variables manager manually. This will typically be the case if you are on SiteGround hosting.

Remove the Optimization manually

Depending on your server’s setup, you may have changes in the files .htaccess, .user.ini, and php.ini, all in the site’s main directory. Wordfence surrounds its code with comments “Wordfence WAF” and “END Wordfence WAF” in the files it modifies. You can remove the code between these comments in these files:

  • .htaccess code varies by server configuration, but is surrounded by the comments mentioned above
  • .user.ini is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
  • php.ini is only used on some server configurations, and would have a single line beginning with “auto_prepend_file”

You can then remove the file wordfence-waf.php in the site’s root folder after the files above are updated.

Important: If your host uses .user.ini or a PHP cache, the changes can take 5 minutes or so to go into effect. You may see white screens or error messages during this period.


If installation completes without errors but the firewall still shows Basic WordPress Protection: Some servers have a delay, usually only up to 5 minutes before the changes will take effect, due to caching. Waiting for 5 minutes and checking again will solve the issue, if this is the case. If the “Click here to configure” button still appears after completing setup and waiting about 5 minutes, your host may not use the typical configuration files, such as .user.ini.

[More about troubleshooting Firewall Optimization]