Issues with WAF and WP in it’s own subfolder
-
To help resolve a previous issue that I have open on here already, I wanted to make sure I configure the
wordfence-waf.phpfile to prepend to my requests.The issue I am running into is that I am fighting against WordFence with this. I have WordPress installed in a subdirectory as this is a supported way to run WordPress: https://www.ads-software.com/support/article/giving-wordpress-its-own-directory/
I have a more advanced setup where I have a folder structure similar to:
– public
– wp-content (all project files outside of WP)
– wordpress (only vanilla WordPress files, no plugins/themes other than default)
– index.php
– etc. (other webroot files like .htaccess and wp-config.php)This allows me to use
WP_CONTENT_DIRandWP_CONTENT_URLto specify a custom wp-content directory.The issue I am experiencing is when I tell WordFence to use “Extended Protection” it is putting the
wordfence-waf.phpfile into thewordpressdirectory. Mind you, the actual location of the WordFence plugin is in my customwp-content/pluginsdirectory. Nothing should be used inside the WordPress directory as updating WordPress would delete these files. So every update would crash the site… that’s a biggie.Since I have my project in a repo and utilize a launch script to setup my ASG, I would prefer to keep
wordfence-waf.phpin the webroot. This is fine and I can make my own edits to the.user.ini,.htaccessfile and thewordfence-waf.phpto usedefine('WFWAF_STORAGE_ENGINE', 'mysqli');.My concern is this:
If I do not click the button in the WordFence options to use the “Extended Protection”, by having these already added myself, would this still enforce properly? The options page just says Basic Protection and that is not the case as I am prepending the file. Does that matter with the actual enforcement or is that just a visual thing in the settings?
If I do click that button, it configures it inside the
wordpressdirectory and that is a problem. I can manually move the file and update the.user.inibut when I check with the Diagnostic tool (wordfence-waf.php path), it still shows it being in thewordpressdirectory. I do not know where to modify this to show the correct path.I am not sure if it showing this is an issue and that is why I am here.
I just want to include my own path for thewordfence-waf.phpand use my own.user.inifile.I have tested it and it seems to work when I do this myself and just ignore the options button but I am unsure of the inners of WordFence and if those value above would have any negative affect to the system. Also, it would be nice if the settings page reflected my actual settings if done manually as the
.user.iniexists with thewordfence-waf.phpand there is an entry in the.htaccessfile.Ideally, is there a constant I can specify to define a path to place the
wordfence-waf.php?Thanks for any insight you can provide.
-
Folder structure is unclear, cannot edit so here is a better version:
public
– wp-content (all project files outside of WP)
– wordpress (only vanilla WordPress files, no plugins/themes other than default)
– index.php
– etc. (other webroot files like .htaccess and wp-config.php)Issue appears to be a caching issue. Manually setting up
wordfence-waf.phpworked as expected.This is clearly explained by WordFence:
Troubleshooting
If installation completes without errors but the firewall still shows Basic WordPress Protection: Some servers have a delay, usually only up to 5 minutes before the changes will take effect, due to caching. Waiting for 5 minutes and checking again will solve the issue, if this is the case. If the “Click here to configure” button still appears after completing setup and waiting about 5 minutes, your host may not use the typical configuration files, such as .user.ini.
- The topic ‘Issues with WAF and WP in it’s own subfolder’ is closed to new replies.
