6.3.1 – Extended protection disabled

  • Hi all,

    FYI, after the 6.3.1 update, the Extended protection was disabled and I was being asked to optimize firewall. All the following failed to help

    I waited 5 minutes
    Tried all the options
    Checked htaccess, and user.ini (no php.ini)
    Checked my file permission
    Disabled all plugins
    Removed hardening form htaccess

    I finally deleted Wordfence entirely, DB, files, etc. and reinstalled, and that did not help.

    I found a reference Here about adding

    php_value auto_prepend_file "/path_to_file/wordfence-waf.php"

    Directly in the htaccess file. And this fixed the issue, for now.

    My htaccess file now looks like this and it works:

    # Wordfence WAF
<IfModule mod_php5.c>
	php_value auto_prepend_file '/home/XXXXXX/public_html/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF

php_value auto_prepend_file '/home/XXXXXX/public_html/wordfence-waf.php'

    Any other suggestions or information would be appreciated.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter philrp

    (@philrp)

    It looks like I was mistaken.

    The firewall extended protection is not working: adding the auto_prepend line directly in the htaccess file seems to have only masked the issue.

    I’m not getting any blocks and google is reporting far more hits than live traffic is.

    I’m at a loss.

    Thanks.

    Hi,
    Please go to (Wordfence > Firewall), scroll down the page and click on “Remove Extended Protection“, this will remove all entries added in “.htaccess” file wrapped between “# Wordfence WAF” and “# END Wordfence WAF”, also remove any codes you added in this file manually that are related to Wordfence Firewall. (like auto_prepend_file pointing to “wordfence-waf.php” file).

    Then, disable all other plugins -temporarily- and re-configure the firewall again and notice the followings:
    – In “.htaccess” file, do you confirm that “auto_prepend_file” has the correct path to “wordfence-waf.php” file?
    – Does “wordfence-waf.php” has the correct paths to “bootstrap.php” and “wflogs”?
    – Go to (Wordfence > Tools => Diagnostics) and click on “Click to view your system’s configuration in a new window”, then search for “auto_prepend_file” value there.

    Let me know how it goes,
    Thanks.

    Thread Starter philrp

    (@philrp)

    Hi Alaa,

    Thank you for the reply. I posted a similar response in the following thread where someone was having a very similar issue. Posting here too in case the topic is relevant to others.

    I tried what you suggested above, but to no avail. I removed everything as explained here, including the database tables, and tried older versions of Wordfence to see if those would work, as before, but they did not.

    This led me to believe something was not working with auto_prepend_file.

    I’ve not contacted my host yet, but I discovered that turning on the PHP extension HTSCANNER in CPanel’s PHP Version makes the WAF work again.

    I’m not sure why this is or if it’s the best solution, but I found multiple mentions of this as a solution for auto_prepend_file issues in htaccess files.

    I’ll report back once I chat with my hosting provider.

    Any insight would be welcomed.

    Thanks again!

    • This reply was modified 7 years, 9 months ago by philrp.

    Hi,
    This library allows servers admins to set PHP variables per directory (just like “.htaccess” file for Apache web server rules), I don’t know for sure how enabling this library solved the firewall issue, but I’m pretty sure your hosting provider should have some answers regarding this situation.

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘6.3.1 – Extended protection disabled’ is closed to new replies.