ianackerwines

@wfadam Unfortunately it isn’t possible to generate diagnostics in this situation. If I manually revert the mysql.php file with a previously-activated and functioning WordFence installation, what happens is a fatal error trying to load the site (due to auto-prepend attempting to load the config). In the http error logs I can see same “Unable to connect to database…” error I mentioned in my original post.

@wfadam Since the plugin can’t be activated using this configuration, I don’t have a WordFence WP-Admin section from which to pull Diagnostics. I’ll try activating the plugin using the workaround code mentioned above, and then changing back to the old code so that the WordFence WP-Admin section exists but WordFence fails to load, and will try to send diagnostics from that setup.

Sure, I’ll send a report shortly. In the meantime, the following modification to the mysql.php -> connect() function resolves the issue for us, in case that leads to a more general solution (we are in AWS, so the cert referenced is the RDS SSL certificate pulled from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem):

public function connect($user, $password, $database, $host, $port = null, $socket = null) {
	// ############## BEGIN CUSTOMIZATION ############## /
    $connection = mysqli_init();
    $connection->ssl_set(NULL, NULL, '/var/app/current/certs/rds-combined-ca-bundle.pem', NULL, NULL);
	$this->dbh =  $connection->real_connect($host, $user, $password, $database, $port, $socket);
	// ############## END CUSTOMIZATION ############## /
	if (!$this->dbh) {
		$error = error_get_last();
		throw new wfWAFStorageEngineMySQLiException('Unable to connect to database: ' . $error['message'], $error['type']);
	}

	return $this->dbh;
}

Looking at the WF source I think I see the problem. It appears that WordFence requires the constants to be defined in wp-config.php ONLY, excluding any logic that occurs when wp-config.php is actually executed. WordFence calls extractCredentialsWPConfig($file) which manually string-parse the default DB_USER, DB_NAME, etc. constants out of the file. This will not work for anyone using any type of modified wp-config.php logic like we do (where we defer much of the variable setup to a separate file). For example, our wp-config.php file is just the following lines:

<?php
/** load custom configuration */
require_once('wp-config-init.php' );
/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );

I can understand why WordFence is doing this, as it can’t really require() the wp-config file when loading so early… but it would be great if extractCredentialsWPConfig() did an if (defined('DB_NAME')) check to allow us to short-circuit this manual parsing logic. As it stands we’ll have to manually hack the WF core files to make it work in our custom environment.

I am having the same issue as the original post. Load-balanced environment, mysqli config added to the wordfence-waf.php, but WordFence isn’t using the database to store data. We define the standard DB_NAME, DB_USER, etc. WordPress constants in our wp-config.php file. Is there anything else that could potentially cause this issue?