Web Application Firewall FAQ

From Wordfence Documentation
Jump to: navigation, search

General Information

What is the Wordfence Web Application Firewall?

What do the files in the wp-content/wflogs/ directory contain?

  • These files contain firewall configuration data and information on blocked attacks. The firewall needs these files because it can run before WordPress has loaded, and the database is not available at that time.
  • Files normally included in the wflogs directory are config.php, attack-data.php, ips.php, rules.php, wafRules.rules, and .htaccess. Some hosts may have additional temporary files in the same directory with similar names, or may also have temporary files with long names containing the letters "nfs".
  • Some of these files begin with a line that says `<?php exit('Access denied'); __halt_compiler(); ?>`. This prevents anyone from viewing the file contents in a web browser, while allowing the rest of the contents to be read as data.
  • Much of the data is encoded or in a binary format, for various reasons, including performance.

What is read-only mode?

  • In rare cases, a logged-in admin may see a notice saying: "The Wordfence Web Application Firewall is in read-only mode. PHP is currently running as a command line user and to avoid file permission issues, the WAF is running in read-only mode. It will automatically resume normal operation when run normally by a web server."
  • Read-only mode means that the firewall will not write its config file or other files, mainly to avoid issues with file permissions or other issues when PHP is not being run via the web server.
  • This notice should only appear when PHP is being run from the command line, and it should not appear when you are logged in as an admin on a site with a normal PHP installation. If you see this notice during normal use of your site, you can set the constant WFWAF_ALWAYS_ALLOW_FILE_WRITING in wp-config.php as a temporary fix. See Wordfence constants for advanced configuration. Please also notify us so we can determine how your server has been set up.

Setup and Maintenance

How do I set up the Web Application Firewall?

Can I dismiss the notice with the "Click to configure" button, if I don't want to set up the firewall right now?

  • The notice can be dismissed by clicking the Dismiss button. If you want to enable Extended Protection in the future, you can enable it on the Firewall page.

What can I do if an action is blocked when it should not be?

  • Visits blocked by the firewall will display "403 Forbidden" and "A potentially unsafe operation has been detected in your request to this site". When you are logged in as an admin, you are given a choice to whitelist any action where you are blocked. If you are not logged in at the time, you can either whitelist items from the Live Traffic page, or by enabling Learning Mode temporarily, completing the actions, and re-enabling the firewall. More information on whitelisting and Learning Mode are available on the Web Application Firewall page.
  • Background requests sent from your browser may show a message that says "Background Request Blocked" if they are blocked by the firewall. These messages are only displayed for the site's admin, and they can be whitelisted by clicking the Whitelist button in the message, if you know that they are safe. More information about blocked background requests is available here.

What is Learning Mode, and how do I use it?

How do I fix the error about being unable to write to ~wp-content/wflogs/ ?

Why do I get a message that says "The changes have not yet taken effect" after following the setup steps?

  • First, check your PHP version on the Diagnostics tab on the Tools page, on the Wordfence menu. PHP 5.2 cannot load the .user.ini required for automated setup on CGI/FastCGI configurations. Some hosts let you choose a newer PHP version in your control panel. For other hosts, you may have to submit a support request to the host.
  • In most cases, this means that your host caches certain PHP settings files. If you see this message for more than 5 minutes or continue to see the setup button at the top of your admin pages more than 5 minutes after completing the setup process, see the Web Application Firewall Setup page.

How can I hide .user.ini if my server runs NGINX?

The .user.ini file that Wordfence creates can contain sensitive information and public access to it should be restricted. To do this, you'll need to append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
    deny all;
}

If you have your WordPress installation in a subdirectory, you can should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
    deny all;
}

What do I do if I see: PHP Fatal error: Unknown: Failed opening required /var/www/html/wordfence-waf.php

See this page: After moving a site or deleting some files, I see: PHP Fatal error: Unknown: Failed opening required /var/www/html/wordfence-waf.php

Disabling the firewall

How can I disable the firewall?

  • On the Firewall page on the Wordfence menu, set the Firewall Status to "Disabled" and click the Save button.

How can I disable the firewall if I have technical problems and cannot update settings?

  • To disable the firewall, this constant can be set:
define('WFWAF_ENABLED', false);
  • If you have Basic WordPress Protection enabled, you can add this code to your wp-config.php file, just below the line about "WP_DEBUG".
  • If you have Extended Protection enabled, the code should be added in wordfence-waf.php, before the line that begins with "if".

Uninstalling the firewall files

How can I remove the firewall files and other code installed during the setup process?

  • Near the bottom of the Firewall page, click the button that says Remove Extended Protection. This will prompt you to save backups of relevant files and then will remove the Wordfence firewall portions of those files automatically. Depending on your server's configuration, it may ask you to wait for a 5 minute delay, to wait for a specific type of cache to expire on your server.
  • Alternately, you can remove the firewall setup files and related code by enabling "Delete Wordfence tables and data on deactivation" near the bottom of the Wordfence options page, and then deactivating Wordfence. This method will reset Wordfence's options entirely, since it removes all Wordfence tables and data.

How can I remove the firewall setup manually?

  • Depending on your server's setup, you may have changes in the files .htaccess, .user.ini, and php.ini, all in the site's main directory.
  • Wordfence surrounds its code with comments "Wordfence WAF" and "END Wordfence WAF" in the files it modifies. You can remove the code between these comments in these files:
    • .htaccess code varies by server configuration, but is surrounded by the comments mentioned above
    • .user.ini is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
    • php.ini is only used on some server configurations, and would have a single line beginning with "auto_prepend_file"
  • The file wordfence-waf.php in the site's root folder can be removed after the files above are updated.
  • Important: If your host uses .user.ini or a PHP cache, the changes can take 5 minutes or so to go into effect. You may see white screens or error messages during this period.