Wordfence WAF user.ini file is detected as an issue

  • Resolved kalabawer

    (@kalabawer)


    4 months, 2 weeks ago

    Hi,

    We have a WordFence installation and we have this user.ini created which has the below content:

    ; Wordfence WAF ;
    auto_prepend_file = ‘/xxx/yyy/zzz/wordfence-waf.php’
    ; END Wordfence WAF

    I am not if this was manually created or auto-generaed but it has the WordFence directive/setting for “auto_prepend_file”

    The problem is, when doing the scan, it is being returned by WordFence as a critical issue which says:

    • Publicly accessible config, backup, or log file found: .user.ini
      • Type: Publicly Accessible Config/Backup/Log

    How can a WordFence file be detected as an issue? How can this be fixed?

    I know we can hit the Ignore button, but this is just strange.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @kalabawer, thanks for your question.

    If getting the firewall into Extended Protection required the use of a .user.ini on your server, can you see the file from a browser yourself (yoursite.com/.user.ini for example)? If so, rather than opt to ignore, have you selected the “HIDE FILE” option offered to you in the scan results? This will usually add some code to your .htaccess to make sure it isn’t visible in the browser going forward.

    Let us know how you get on!
    Peter.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.