Fresh Installation

Only when running Litespeed or Openlitespeed.
Check with the troubleshooter script, you should see it in the PHP_SAPI field.

The hosting company uses Apache with PHP but it utilizes the PHP Litespeed API (LSAPI) which does not read or respect the php.ini. Despite the Ninja directive in the .htaccess full WAF doesn’t get enabled. So they have recommended to use another security plugin https://www.ads-software.com/plugins/wp-cerber.

I had emphasized the importance of the Ninja WAF, and that its lightweight and resides between WordPress and the attacker, as the firewall loads first before WordPress. Their response was the feature is redundant since they have ModSecurity through Imunify360 as a WAF already.

They have also asked me to clarify PHP7 as this only implies software version not the PHP handler.

Kindly advise.

Did you try other alternatives during the Full WAF installation such as “Apache + PHP7 module”?

Yes. Apache + PHP7 module also didn’t work.

Did your host confirm that you can use the auto_prepend_file directive in a .htaccess or not? It looks like you can’t.

The hosting said that they are running servers on CloudLinux OS with the Litespeed handler and that it’s absolutely normal to define php values in the .htaccess. The below code is already in the .htaccess.

`# BEGIN NinjaFirewall
<IfModule mod_php7.c>
php_value auto_prepend_file /home/website/public_html/wp-content/nfwlog/ninjafirewall.php
</IfModule>
# END NinjaFirewall

Can you try to remove the <IfModule mod_php7.c> and </IfModule> lines and test again? Make sure you have FTP access so that if the site crashed you could undo the modification.

Also, did you run the troubleshooter script?

Removed the lines you mentioned but to no avail. In fact the directive doesn’t get created in the .htaccess file.

Results of the troubleshooter script:

HTTP server : Apache
PHP version : 7.3.18
PHP SAPI : LITESPEED

auto_prepend_file : none
wp-config.php : found in /home/site/public_html/wp-config.php
NinjaFirewall detection : NinjaFirewall WP Edition is loaded (WordPress WAF mode)

Loaded INI file : /opt/alt/php73/etc/php.ini
user_ini.filename : .user.ini
user_ini.cache_ttl : 300 seconds
User PHP INI : none found

DOCUMENT_ROOT : /home/site/public_html
ABSPATH : /home/sitesm/public_html/
WordPress version : 5.4.2
WP_CONTENT_DIR : /home/site/public_html/wp-content
Plugins directory : /home/site/public_html/wp-content/plugins
User Role : Unknown role (or user not logged in)
User Capabilities : Error: missing manage_options capability – Error: missing unfiltered_html capability
Make sure you are logged in to WordPress before running this script.
Log dir permissions : /home/sitesm/public_html/wp-content/nfwlog dir is writable
Cache dir permissions : /home/sitesm/public_html/wp-content/nfwlog/cache dir is writable

Can you try to add another directive to the .htaccess and see if it works? For instance:
php_value upload_max_filesize 50M

Then check with a phpinfo() script if the value of upload_max_filesize is set to 50M.

• This reply was modified 4 years, 9 months ago by nintechnet.

The hosting has already set by default php_value upload_max_filesize to 512M.

If other directives work, then it means auto_prepend_file is disabled or there’s something wrong with the PHP interpreter.
I don’t think you could run NF in Full WAF mode on that host.

Will pass on your details to the host. Let’s see what they have to say.

The host have manage to somehow enable the full WAF with the only line again:

php_value auto_prepend_file /home/site/public_html/wp-content/nfwlog/ninjafirewall.php

Now how can we confirm if the full WAF is really enabled and working?

Did you check in the “NinjaFirewall > Dashboard” page? This is the page to check when looking for errors, warnings or problems.

There are no errors, warnings or problems on the “NinjaFirewall > Dashboard” page.