Optimizing The Firewall

The Wordfence Firewall has a feature that allows the Firewall to be loaded before any other code loads. This provides the highest level of protection and we refer to this as "extended protection". In order to get extended protection, you have to go through a short configuration procedure.

Basic WordPress Protection vs. Extended Protection

When you first install Wordfence on your website, you’ll automatically activate Basic WordPress Protection. The plugin will load as a regular plugin after WordPress loads, but while it can block many malicious requests, some vulnerable plugins or WordPress itself may run vulnerable code before all plugins are loaded. Additionally, attackers can access some plugin, core, or theme files directly, and in that case, your server will not load the firewall to protect you.

In the optimization process, Wordfence changes the PHP configuration to allow the firewall to load on your site before WordPress or any other PHP files that may be directly accessible. Depending on your server’s configuration, this may require changes to the files .htaccess, .user.ini, or php.ini. Wordfence first prompts you to download backup copies of these files before they’re modified, in case the server is configured in a way that the changes will not work. Once you complete the optimization steps, the firewall will process all PHP requests. You now have Extended Protection.

Firewall Optimization Setup

  1. When you first install the Wordfence Web Application Firewall, at the top of WordPress admin pages, you will see: “To make your site as secure as possible, take a moment to setup the Wordfence Web Application Firewall.” Click the “Click here to configure” button.
  2. You are now taken to a setup page which will detect the server configuration for your site. You should not need to change this option, but you can, if you know that it’s not detecting your server configuration correctly. Click the “Continue” button.
  3. The next page may recommend downloading one or more files (.htaccess and .user.ini) for backup purposes. If you run in to any issues during the Optimization procedure, you can upload the backup files to your site to undo what the configuration did. Once you have downloaded the files, you can click “Continue” to complete the setup. Your setup should now be complete. On some hosts, you may have to wait up to 5 minutes for the change to take effect.

If you don’t want to set up the firewall right now, you can dismiss the notice. Setup will still be available on the Firewall page if you want to set up Extended Protection in the future.

Alternative Setups

On SiteGround and other similar hosts that use cPanel:

Some hosts do not support the use of .user.ini files. This does not occur on all cPanel hosts, but only those with specific configuration. For these hosts, you can optimize the firewall manually by setting the PHP value auto_prepend_file directly in your php.ini. On SiteGround and similar hosts, please follow this procedure:

  1. After attempting the installation, “wordfence-waf.php” will be created in the site’s root, but you will see a notice that the firewall is still not optimized.
  2. You will need the path to the wordfence-waf.php file, similar to /home/username/public_html/wordfence-waf.php. If you are not sure of the full path for your site, please contact us for help.
  3. Go to your site’s cPanel, and click the PHP Variables Manager icon
  4. Click the link that says “public_html”
  5. Enter “auto_prepend_file” as the variable name, click the “Add” button, and then enter the path to wordfence-waf.php
  6. Turn on the checkbox “Apply changes to all sub-directories” and click Save.

If the site will not load properly, check the path you entered to be sure there are no extra letters, quotes, slashes, etc. in the PHP Variables Manager. If it still will not work, you can try deleting the path and saving the settings to return the site to its previous state and try again.

Using php.ini with multiple sites on a single hosting account

If you have multiple sites on a single hosting account and need to use php.ini as described in the previous section, you may need to add a similar php.ini file in each individual site’s subdirectory. In this case, you may also need to add code like this in each additional site’s .htaccess file, to tell PHP which php.ini file to use:

SetEnv PHPRC /home/user/public_html/sitename/php.ini

You will need to adjust the path for your site and the site’s directory name before adding this to the .htaccess file. If the subdirectory site’s .htaccess file already has a similar line, this change may not be needed. Note: Some hosts may require PHPRC to show the path without “php.ini” at the end.

Hiding .user.ini if your server runs NGINX

The .user.ini file that Wordfence creates can contain sensitive information, and public access to it should be restricted. If your server runs NGINX you have to do this manually. Append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
deny all;

If your WordPress installation resides in a subdirectory, you should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
deny all;

Removing The Optimization

Removing the optimization will remove the Firewall files in /wflogs/ and the code installed in .htaccess and .user.ini. Near the bottom of the Firewall page, click the button that says Remove Extended Protection. This will prompt you to save backups of relevant files, and then will remove the Wordfence firewall portions of those files automatically. Depending on your server’s configuration, it may ask you to wait for a 5-minute delay to wait for a specific type of cache to expire on your server.

Alternately, you can remove the firewall setup files and related code by enabling “Delete Wordfence tables and data on deactivation” near the bottom of the Wordfence options page, and then deactivating Wordfence. This method will reset Wordfence’s options entirely after you reactivate it, since it removes all Wordfence tables and data.

Remove the Optimization manually

Depending on your server’s setup, you may have changes in the files .htaccess, .user.ini, and php.ini, all in the site’s main directory. Wordfence surrounds its code with comments “Wordfence WAF” and “END Wordfence WAF” in the files it modifies. You can remove the code between these comments in these files:

  • .htaccess code varies by server configuration, but is surrounded by the comments mentioned above
  • .user.ini is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
  • php.ini is only used on some server configurations, and would have a single line beginning with “auto_prepend_file”

You can then remove the file wordfence-waf.php in the site’s root folder after the files above are updated.

Important: If your host uses .user.ini or a PHP cache, the changes can take 5 minutes or so to go into effect. You may see white screens or error messages during this period.


If installation completes without errors but the firewall still shows Basic WordPress Protection: Some servers have a delay, usually only up to 5 minutes before the changes will take effect, due to caching. Waiting for 5 minutes and checking again will solve the issue, if this is the case. If the “Click here to configure” button still appears after completing setup and waiting about 5 minutes, your host may not use the typical configuration files, such as .user.ini.

[More about troubleshooting Firewall Optimization]