I use Wordfence as a WordPress security solution. Even the free version has a comprehensive set of features, and the premium version is even better. It’s very easy to install and configure Wordfence as a regular plugin. However, the step to “Optimize the Wordfence firewall” fails for many people. This is not the fault of Wordfence, since different steps may be required depending on how your web server is configured. My solution is for those who are hosting their own WordPress, but may be helpful to other situations.
If a problem occurs, the main symptom you will see is that Wordfence will demand your FTP user name and password when you try to optimize the firewall. You do not need to enter this information, and you don’t even need FTP access. The FTP dialog is just an indication that WordPress is unable to write to a directory or file. To fix the underlying problem, read on…
The first difficulty in optimizing the firewall is that Wordfence has to create a custom PHP file for your site called wordfence-waf.php and saves it in the root directory of the WordPress installation. Various security measures may prevent Wordfence from saving a file in this path. For example, the Linux user that runs the Apache process (apache in the case of RedHat/CentOS/Fedora) may not have write permission to the root directory. You’ll have to temporarily change ownership and/or permissions to allow Apache to write to this directory.
The second main reason that saving wordfence-waf.php might fail is an SELinux denial. To work around this, temporarily set the SELinux mode to permissive. On RedHat/CentOS/Fedora:
- Run the command setenforce permissive
- In WordPress, optimize the Wordfence firewall
- Immediately run setenforce enforcing to restore SELinux protections.
Now, you should have the file wordfence-waf.php in the same directory in the root WordPress directory.
The second major obstacle is to set the PHP environment variable auto_prepend_file so that PHP runs wordfence-waf.php before every PHP script. The exact method will depend on which web server is installed and how PHP is configured. Wordfence tries to guess for you and configure the right option automatically. For Apache 2.4 running PHP 7 using mod_php, the correct method is to create a file called .htaccess in the root directory of the WordPress installation, and set the variable there:
php_value auto_prepend_file "/var/www/html/nistframework.com/wordfence-waf.php"
Edit the main Apache config file (/etc/httpd/conf/httpd.conf on RedHat/CentOS/Fedora). In the section change AllowOverride None to AllowOverride Options and restart httpd.
To verify that auto_prepend_file is being set, create a little test script called info.php in the root directory of your WordPress installation:
Now navigate to /info.php and verify that auto_prepend_file is set correctly.