mydomain.com/.user.ini

korshiun
(@korshiun)

8 years, 2 months ago

Hello.
Does Wordfence require access to mydomain.com/.user.ini file? Because under “Metrict/Errors” in my hosting account (or in my logs) I see that the file was required but access was denied ( by my rules in .htaccess ). I see that Wordfence put into that file (.user.ini) some code during its instalation. My question is: do I need to open access for Wordfence to the .user.ini file, or it is okay if I keep it protected from everyone.

Viewing 6 replies - 1 through 6 (of 6 total)

wfyann
(@wfyann)

8 years, 1 month ago

Hi @korshiun,

The code added by Wordfence in the “.user.ini” file is related to the firewall optimization and contains the path to the “auto prepend file“.

Yes, Wordfence needs to be able to access that file if you wish to run the firewall with “Extended Protection”.

Thread Starter korshiun
(@korshiun)

8 years, 1 month ago

Hi, thanks for the answer! I got another one, though.

My Worfence is currently running in “Extended Protection” mode despite the fact that it doesn’t have access to .user.ini file (and not giving/displaying any errors or warning messages).

I have this piece in my public_html directory .htaccess file.
# Wordfence WAF
<Files “.user.ini”>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
Can it be that it blocks itself because of this code? I mean my own server IP doesn’t have access to mydomain/.user.ini. The error I get on my server is this – “…[access_compat:error]…client denied by server configuration: /home/mydomain/public_html/.user.ini…”
wfyann
(@wfyann)

8 years, 1 month ago
Hi @korshiun,

I’m not sure why your Firewall Protection Leve would show “Extended Protection” in this case; I might have to check with our development team on that.

Now in order to check if the Firewall is really running in “Extended Protection” mode could you please check if a value is set for the “auto_prepend_file” directive?

To do so:
- Go to the Wordfence –> Tools page
- Click the Diagnostics tab
- In the Other Tests section (near the bottom of the page), click the link that reads “Click to view your system’s configuration in a new window“. This will open a Wordfence System Info page
Check the “auto_prepend_file” directive. Does it show the full path to the”wordfence-waf.php” file? Or does it show “no value”?
Thread Starter korshiun
(@korshiun)

8 years, 1 month ago
Hi @wfyann,

I checked Wordfence System Info (as you advised), and – it does show the full path to the ”wordfence-waf.php” file.
- This reply was modified 8 years, 1 month ago by korshiun.
wfyann
(@wfyann)

8 years, 1 month ago

Hi @korshiun,

This confirms that Wordfence is either able to access/read the content of the “.user.ini” file or that it is getting the “auto_prepend_file” directive from somewhere else; it could be set in “php.ini“.

Would you mind sharing the “.htaccess” rule you believe is blocking Wordfence from accessing the “.user.ini” file?

Thread Starter korshiun
(@korshiun)

8 years, 1 month ago

Hi @wfyann,

After investigating this issue, I noticed that the error message saying “client denied by server configuration: /home2/mydomain.com/public_html/.user.ini” on my cPanel’s “Errors” tab, I get only when I login to my hosting account. So, I login, go to “Errors”, see the message and look for the time the message was generated and it matches exactly the time I logged in. My conclusion – it is not related to Wordfence. I’m not an expert and if I’m wrong, just let me know.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘mydomain.com/.user.ini’ is closed to new replies.