Optimizing The Firewall

The Wordfence Firewall has a feature that allows the Firewall to be loaded before any other code loads. This provides the highest level of protection and we refer to this as "extended protection". In order to get extended protection, you have to go through a short configuration procedure.

Basic WordPress Protection vs. Extended Protection

When you first install Wordfence on your website Basic WordPress Protection will automatically be activated. The plugin will load as a regular plugin after WordPress loads. While it can block many malicious requests, some vulnerable plugins or WordPress itself may run vulnerable code before all plugins are loaded. Additionally, attackers can access some plugin, core, or theme files directly, and in that case, your server will not load the firewall to protect you.

In the optimization process, Wordfence changes the PHP configuration to allow the firewall to load on your site before WordPress or any other PHP files that may be directly accessible. Depending on your server’s configuration, this may require changes to the files .htaccess, .user.ini, or php.ini. Wordfence first prompts you to download backup copies of these files before they’re modified, in case the server is configured in a way that the changes will not work. Once you complete the optimization steps, the firewall will process all PHP requests. You now have Extended Protection.

Firewall Optimization Setup

When you first install the Wordfence Web Application Firewall, at the top of WordPress admin pages, you will see: “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:” Click the “Click here to configure” button.

You are now taken to the Firewall Options page which will display the “Optimize Wordfence Firewall” dialogue. The correct optimization server configuration will be automatically selected for you. You should not need to change this option, but you can, if you know that it’s not detecting your server configuration correctly. If you are on a host that does not support any of our default configurations you will have to select the “Manual configuration” option. For example, if you are on SiteGround hosting, we recommend manual configuration. For further instructions, see Alternative Hosting Provider Setups below.

Click to download backups of .htaccess and/or .user.ini if you are prompted to do so. If you run in to any issues during the Optimization procedure, you can use FTP/SSH or any file manager your web host may be providing to upload the backup files to the root of your WordPress installation to undo what the configuration did. Once you have downloaded the files, you can click “Continue” to complete the setup.

Your setup should now be complete. On some hosts, you may have to wait up to 5 minutes for the change to take effect.

If you don’t want to set up the firewall right now, you can dismiss the notice. Setup will still be available on the Firewall page if you want to set up Extended Protection in the future.

Alternative Hosting Provider Setups

On SiteGround and other similar hosts that use cPanel

On Pagely

On SiteGround and other similar hosts that use cPanel:

Some hosts do not support the use of .user.ini files. This does not occur on all cPanel hosts, but only those with specific configuration. For these hosts, you can optimize the firewall manually by setting the PHP value auto_prepend_file directly in your php.ini. Please note that the instructions for manual setup in this section are for Wordfence versions 7.1.2 and higher. If you are using an older Wordfence version, contact Wordfence support for assistance.

After attempting the installation on SiteGround and similar hosts the Firewall file “wordfence-waf.php” will be created in the site’s root, but you will see a notice that the firewall is still not optimized. To complete Manual Configuration

1. Click again to “Optimize the Wordfence Firewall”.

2. Select “Manual Configuration” and press “Continue”.

3. Take note of the auto_prepend_file file path displayed.

4. Go to your site’s cPanel, and click the PHP Variables Manager icon

5. Click the link that says “public_html”

6. Enter “auto_prepend_file” as the variable name, click the “Add” button, and then enter the path to wordfence-waf.php

7. Turn on the checkbox “Apply changes to all sub-directories” and click Save.

Click here for screenshots that demonstrate steps 4-7 above.

If the site will not load properly, check the path you entered to be sure there are no extra letters, quotes, slashes, etc. in the PHP Variables Manager. If it still will not work, you can try deleting the path and saving the settings to return the site to its previous state and try again.

If you are sure that you have completed the above steps correctly then we have seen some SiteGround hosting accounts where disabling the “auto_globals_jit” PHP directive is also necessary to be able to complete the firewall optimization process. If this is the case then this should be accompanied by this PHP Warning, either printed out in your browser, or present in your PHP error logs.

Warning: array_merge(): Argument #2 is not an array in /home/username/public_html/wp-includes/load.php

In step 4 of the firewall optimization process above you may see in the cPanel PHP Variables Manager that the “auto_globals_jit” PHP directive is listed as enabled. If it is enabled then select the radio button to disable it and press the “Save” button.

If you don’t see the “auto_globals_jit” PHP directive listed in the PHP Variables Manager you will need to add the “auto_globals_jit” directive in the “Variable” text input field (without the quotes that you see here) and press the “Add” button. Once the “auto_globals_jit” variable text input field is created then enter “off” (without quotes) in the text input field and press the “Save” button.

Note that if you see the PHP Warning above printed out in your browser then this means that the “display_errors” PHP directive is enabled which shouldn’t be the case on a production server connected to the internet and should be disabled. In the PHP Variables Manager add “display_errors” in the “Variable” text input field (without the quotes that you see here) and press the “Add” button. Once the “display_errors” variable text input field is created then enter “off” (without quotes) in the text input field and press the “Save” button.

Using php.ini with multiple sites on a single hosting account

If you have multiple sites on a single hosting account and need to use php.ini as described in the previous section, you may need to add a similar php.ini file in each individual site’s subdirectory. In this case, you may also need to add code like this in each additional site’s .htaccess file, to tell PHP which php.ini file to use:

SetEnv PHPRC /home/user/public_html/sitename/php.ini

You will need to adjust the path for your site and the site’s directory name before adding this to the .htaccess file. If the subdirectory site’s .htaccess file already has a similar line, this change may not be needed. Note: Some hosts may require PHPRC to show the path without “php.ini” at the end.

On Pagely:

To be able to optimize the firewall on Pagely hosting you will need to run through the firewall optimization process as described in the Firewall Optimization Setup section above. You don’t need to change the server configuration selection during the process.

When you have gone through the firewall optimization process the Firewall file “wordfence-waf.php” will have been created in the site’s root, but you will see a notice that the firewall is still not optimized.

If your site is hosted on a shared hosting account then you will need to ask Pagely support to add the code found in the “wordfence-waf.php” file to this Pagely hosting “setup.php” configuration file below:


If you are a VPS or Enterprise customer then you will have access to the Pagely “setup.php” configuration file and you can add the code found in the “wordfence-waf.php” file yourself.

To check that the firewall is now optimized you can click on the “All Firewall Options” link on the “Firewall” page. The “Protection Level” section should now say “Extended Protection” instead of “Basic WordPress Protection”.

Hiding .user.ini if your server runs NGINX

The .user.ini file that Wordfence creates can contain sensitive information, and public access to it should be restricted. If your server runs NGINX you have to do this manually. Append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
deny all;

If your WordPress installation resides in a subdirectory, you should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
deny all;

Removing The Optimization

The Extended Protection mode of the Wordfence Web Application Firewall uses the PHP ini setting called auto_prepend_file in order to ensure it runs before any potentially vulnerable code runs. This configuration for the auto_prepend_file setting needs to be removed. On the Firewall Options page under Protection Level click the button that says Remove Extended Protection. This will prompt you to save backups of relevant files, and then will remove the Wordfence firewall portions of those files automatically. Depending on your server’s configuration, it may ask you to wait for a 5-minute delay to wait for a specific type of cache to expire on your server.

Alternately, you can remove the firewall setup files and related code by enabling “Delete Wordfence tables and data on deactivation” near the bottom of the Wordfence options page, and then deactivating Wordfence. This method will reset Wordfence’s options entirely after you reactivate it, since it removes all Wordfence tables and data.

Important: If you have preformed a manual configuration via cPanel as described in the Alternative Setups section above, you need to remove the auto_prepend_file value from the PHP variables manager manually. This will typically be the case if you are on SiteGround hosting.

Remove the Optimization manually

Depending on your server’s setup, you may have changes in the files .htaccess, .user.ini, and php.ini, all in the site’s main directory. Wordfence surrounds its code with comments “Wordfence WAF” and “END Wordfence WAF” in the files it modifies. You can remove the code between these comments in these files:

  • .htaccess code varies by server configuration, but is surrounded by the comments mentioned above
  • .user.ini is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
  • php.ini is only used on some server configurations, and would have a single line beginning with “auto_prepend_file”

You can then remove the file wordfence-waf.php in the site’s root folder after the files above are updated.

Important: If your host uses .user.ini or a PHP cache, the changes can take 5 minutes or so to go into effect. You may see white screens or error messages during this period.

How to exclude directories from firewall monitoring in Extended Protection mode

You may have one or more other applications installed in directories outside of WordPress in your hosting account and you may not want the firewall to monitor and block legitimate requests for that additional application or applications.

To prevent the firewall from monitoring such directories you can use the following line or lines of code to achieve this.

Depending on your server environment the code will be added to either a .user.ini file, .htaccess file or in some cases a php.ini file in the root directory of the additional application.

.user.ini or php.ini:

auto_prepend_file = none

.htaccess for a server running a version of PHP branch 5:

<IfModule mod_php5.c>
   php_value auto_prepend_file none

.htaccess for a server running a version of PHP branch 7:

<IfModule mod_php7.c>
   php_value auto_prepend_file none


If installation completes without errors but the firewall still shows Basic WordPress Protection: Some servers have a delay, usually only up to 5 minutes before the changes will take effect, due to caching. Waiting for 5 minutes and checking again will solve the issue, if this is the case. If the “Click here to configure” button still appears after completing setup and waiting about 5 minutes, your host may not use the typical configuration files, such as .user.ini.

[More about troubleshooting Firewall Optimization]