Optimizing The Firewall

The Wordfence firewall has a feature that allows the firewall to be loaded before any other code loads. This provides the highest level of protection and we refer to this as "Extended Protection". In order to get Extended Protection, you have to go through a short configuration procedure.

Basic WordPress Protection versus Extended Protection

When you first install Wordfence on your website the “Basic WordPress Protection” mode will automatically be activated. The plugin will load as a regular plugin after WordPress loads. While it can block many malicious requests, some vulnerable plugins or WordPress itself may run vulnerable code before all plugins are loaded. Additionally, attackers can access some plugin, core, or theme files directly, and in that case, your server will not load the firewall to protect you.

In the optimization process, Wordfence changes the PHP configuration to allow the firewall to load on your site before WordPress or any other PHP files that may be directly accessible. Depending on your server’s configuration, this may require changes to the files “.htaccess”, “.user.ini”, or “php.ini”. Wordfence first prompts you to download backup copies of these files before they are modified, in case the server is configured in a way that the changes will not work. Once you complete the optimization steps, the firewall will process all PHP requests. The firewall will now be in “Extended Protection” mode.

Firewall Optimization Setup

When you first install the plugin, at the top of WordPress admin pages, you will see:

“To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:”

Click the “CLICK HERE TO CONFIGURE” button.

(If the notice has already been dismissed then open the “Firewall” page. Click on the “All Firewall Options” link. In the “Protection Level” section click on the button that says, “OPTIMIZE THE WORDFENCE FIREWALL”).

You are now taken to the “Firewall Options” page which will display the “Optimize Wordfence Firewall” dialogue. The correct server configuration optimization will be automatically selected for you. You should not need to change this option, but you can if you know that it is not detecting your server configuration correctly. If you are on a host that does not support any of our default configurations you will have to select the “Manual configuration” option. For example, if you are on SiteGround hosting, we recommend manual configuration. For further instructions, see Alternative Hosting Provider Setups below.

Click to download backups of “.htaccess” and/or “.user.ini” if you are prompted to do so. If you experience any issues during the optimization procedure, you can use FTP/SSH or any file manager your web host provides to upload the backup files to the root directory of your WordPress installation to undo the configuration changes. Once you have downloaded the files, you can click “Continue” to complete the setup.

Your setup should now be complete. On some hosts, you may have to wait up to 5 minutes for the change to take effect.

If you do not want to set up the firewall now then you can dismiss the notice. Setting up the firewall optimization will still be available on the “Firewall” page if you want to set up the “Extended Protection” mode in the future. Click on the “All Firewall Options” link. In the “Protection Level” section click on the button that says, “OPTIMIZE THE WORDFENCE FIREWALL”.

Alternative Hosting Provider Setups

On SiteGround and other similar hosts that use cPanel
On SiteGround accounts using the Site Tools control panel instead of cPanel
On Pagely
On Kinsta

On SiteGround and other similar hosts that use cPanel:

Some hosts do not support the use of “.user.ini” files. This does not occur on all cPanel hosts, but only on those with a specific configuration. For these hosts, you can optimize the firewall manually by setting the PHP value “auto_prepend_file” directly in your “php.ini” configuration.

After attempting the installation on SiteGround and similar hosts the firewall file “wordfence-waf.php” will be created in the site’s root directory, but you will see a notice that the firewall is still not optimized. To complete the manual configuration:

1. Click again to “Optimize the Wordfence Firewall”.

2. Select “Manual Configuration” and press “Continue”.

3. Take note of the “auto_prepend_file” file path displayed.

4. Go to your site’s cPanel, and click the “PHP Variables Manager” icon.

5. Click the link that says “public_html”.

6. Enter “auto_prepend_file” as the variable name, click the “Add” button, and then enter the full file path to “wordfence-waf.php”.

7. Turn on the checkbox “Apply changes to all sub-directories” and click on “Save”.

Click here for screenshots that demonstrate steps 4-7 above.

If the site will not load properly, check the full file path that you entered to be certain that there are no extra letters, quotes, or slashes in the PHP Variables Manager. If it still will not work, you can try deleting the full file path and saving the settings to return the site to its previous state and try again.

On SiteGround accounts using the “Site Tools” control panel instead of cPanel:

SiteGround does not support the use of “.user.ini” files. This does not occur on all hosting providers, but only on those with a specific configuration. For SiteGround you can optimize the firewall manually by setting the PHP value “auto_prepend_file” directly in your “php.ini” configuration.

After attempting the installation on SiteGround the firewall file “wordfence-waf.php” will be created in the site’s root directory, but you will see a notice that the firewall is still not optimized. To complete the manual configuration:

1. Click again to “Optimize the Wordfence Firewall”.

2. Select “Manual Configuration” and press “Continue”.

3. Take note of the “auto_prepend_file” file path displayed.

4. On the upper menu in your SiteGround account click on “Websites” and then under the website details click “Site Tools”.

5. On the “Site Tools” page look in the vertical navigation menu and click on “Devs”. In the submenu that opens click “PHP Manager”.

6. On the “PHP Manager” page, look in the section that allows you to manage the settings for the site. Click on the “PHP Variables” tab. This will open a long list of variables that you can configure for PHP. Scroll to the bottom of the list to click on “Load More”. You will need to click on “Load More” one more time (two times in total) to get to the value that you need to change.

7. When you see “auto_prepend_file” stop and click on the blue “Add Value” link. A pop-up will appear where you enter the full file path to “wordfence-waf.php” that you noted in step 3 above. Press the button to confirm the change.

If the site will not load properly, check the full file path that you entered to be sure there are no extra letters, quotes, or slashes in the PHP Variables Manager. If it still will not work, you can try deleting the full file path and saving the settings to return the site to its previous state and try again.

Using php.ini with multiple sites on a single hosting account

If you have multiple sites in a single hosting account and need to use “php.ini” as described in the previous section, you may need to add a similar “php.ini” file in each individual site’s subdirectory. In this case, you may also need to add code like this in each additional site’s “.htaccess” file.  This will instruct PHP on your web server which “php.ini” file to use:

SetEnv PHPRC /home/user/public_html/site_name/php.ini

You will need to adjust the full file path for your site and the site’s directory name before adding this to the “.htaccess” file. If the subdirectory site’s “.htaccess” file already has a similar line, this change may not be needed.

Note that some hosts may require PHPRC to show the full file path without “php.ini” at the end.

On Pagely:

To be able to optimize the firewall on Pagely hosting you will need to run through the firewall optimization process as described in the Firewall Optimization Setup section above. You do not need to change the server configuration selection during the process.

When you have gone through the firewall optimization process the firewall file “wordfence-waf.php” will have been created in the site’s root directory, but you will see a notice that the firewall is still not optimized.

If your site is hosted on a shared hosting account then you will need to ask Pagely support to add the code found in the “wordfence-waf.php” file to this Pagely hosting “setup.php” configuration file below:

~/user/setup.php

If you are a VPS or Enterprise customer then you will have access to the Pagely “setup.php” configuration file and you can add the code found in the “wordfence-waf.php” file yourself.

To check that the firewall is now optimized you can click on the “All Firewall Options” link on the “Firewall” page. The “Protection Level” section should now say “Extended Protection” mode instead of “Basic WordPress Protection” mode.

On Kinsta:

When you first install the plugin, at the top of WordPress admin pages, you will see:

“To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:”

Click the “CLICK HERE TO CONFIGURE” button.

You are now taken to the “Firewall Options” page which will display the “Optimize Wordfence Firewall” dialogue and these instructions are to be followed:

1. Select “Manual Configuration” and press “CONTINUE”.

2. Take note of the “auto_prepend_file” file path displayed.

3. Ask Kinsta support to set the “auto_prepend_file” file path for your site.

Hiding .user.ini if your server runs NGINX

The “.user.ini” file that Wordfence creates can contain sensitive information, and public access to it should be restricted. If your server runs NGINX you have to do this manually. Append the following directives to the server context of your “nginx.conf” file:

location ~ ^/\.user\.ini {
deny all;
}

If your WordPress installation resides in a subdirectory, you should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
deny all;
}

Some hosts already prevent “.user.ini” from being publicly readable, since it is a common PHP configuration file. A few hosts that use NGINX, including Pressable, are using a different method to load the firewall and do not have a “.user.ini” file. In these cases, no additional steps are necessary.

Removing The Optimization

The “Extended Protection” mode of the Wordfence firewall uses the PHP ini setting “auto_prepend_file” in order to ensure that it runs before any potentially vulnerable code runs. This “auto_prepend_file” setting needs to be removed if you are reinstalling Wordfence, removing Wordfence’s data, or in some cases when moving to a new host.

To remove the firewall optimization, on the “Firewall Options” page, under “Protection Level”, click the button that says “Remove Extended Protection”. This will prompt you to save backups of one or two files depending on your host’s configuration, and then it will remove the Wordfence firewall portions of those files automatically. Depending on your server’s configuration, it may ask you to wait for a 5-minute delay to wait for a specific type of cache to expire on your server.

Important: If you have performed a manual configuration via cPanel as described in the “Alternative Hosting Provider Setups” section above, you need to remove the “auto_prepend_file” value from the PHP variables manager manually. This will typically be the case if you are on an older site on SiteGround hosting. (More recent sites may use the standard firewall optimization setup.)

Remove the Optimization manually

If you cannot remove Wordfence’s optimization by the method above, some files may have incorrect permissions, or you may have previously set up Wordfence’s optimization manually. You can remove Wordfence’s optimization manually, in this case.

Depending on your server setup, you may have changes in “.htaccess”, “.user.ini”, and “php.ini” files, usually in the main directory of your site. Wordfence surrounds its code with comments “Wordfence WAF” and “END Wordfence WAF” in the files it modifies. You can remove the code between these comments in these files:

  • “.htaccess” code varies by server configuration but is surrounded by the comments mentioned above
  • “.user.ini” is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
  • “php.ini” is only used on some server configurations, and would have a single line beginning with “auto_prepend_file”

Important: If your host uses “.user.ini”, the changes can take up to 5 minutes to take effect. You may see white screens or error messages during this period if you remove wordfence-waf.php too soon. You can check the “Protection Level” section of the “Firewall Options”, to confirm that the “Remove Extended Protection” button has changed back to “Optimize the Wordfence Firewall”, to be sure that the optimization was removed.

You can then remove the file “wordfence-waf.php” in the site’s root directory after the files above are updated.

How to exclude directories from firewall monitoring in Extended Protection mode

You may have one or more other applications installed in directories outside of WordPress in your hosting account and you may not want the firewall to monitor and block legitimate requests for any additional applications.

To prevent the firewall from monitoring such directories you can use the following line, or lines, of code to achieve this.

Depending on your server environment, the code will be added to either a “.user.ini” file, “.htaccess” file, or in some cases a “php.ini” file in the root directory of the additional application.

“.user.ini” or “php.ini”:

auto_prepend_file = none

“.htaccess” for a server running a version of PHP 5:

<IfModule mod_php5.c>
php_value auto_prepend_file none
</IfModule>

“.htaccess” for a server running a version of PHP 7:

<IfModule mod_php7.c>
php_value auto_prepend_file none
</IfModule>

“.htaccess” for a server running a version of PHP 8:

<IfModule mod_php.c>
php_value auto_prepend_file none
</IfModule>

Troubleshooting

If installation completes without errors but the firewall still shows “Basic WordPress Protection” then some servers have a delay, usually only up to 5 minutes before the changes will take effect, due to caching. Waiting for 5 minutes and checking again will solve the issue if this is the case. If the “CLICK HERE TO CONFIGURE” button still appears after completing the setup and waiting about 5 minutes, your host may not use the typical configuration files, such as “.user.ini”.

[More about troubleshooting Firewall Optimization]