Need some help with WordFence on OpenLiteSpeed

inspiredearth

Hi folks,

I have an OLS server which I'd like to use WordFence on.

I kept getting the incomplete install prompt from Wordfence. Which lead me to here: https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/#other-installation-issues

Sites using OpenLiteSpeed
The OpenLiteSpeed web server does not currently support “.htaccess” or “.user.ini” files and can only be set up manually. OpenLiteSpeed has instructions in this link below:
https://openlitespeed.org/kb/enable-wordfence-on-openlitespeed/
When the “Optimize Wordfence Firewall” dialogue is displayed then to complete the “Manual Configuration” you will need to do this:

Select “Manual Configuration” and press “Continue”.

Take note of the “auto_prepend_file” file path displayed.

Follow the instructions in the OpenLiteSpeed documentation link above.

So it sounds like OLS needs some manual configuration to get the php append working. Something to do with lack of .htaccess support in OLS. For some reason I thought one of the pros of OLS is that it has full .htaccess support?

The above leads me to here: https://docs.openlitespeed.org/config/php/wordfence/, which states:

WordFence requires auto_prepend_file in order to work correctly, as it allows the Wordfence WAF to load before WordPress, rather than afterward.

By default, the following directive in .htaccess is used to load WordFence, but this directive does not work in OpenLiteSpeed:

php_value auto_prepend_file '/home/example.com/public_html/wordfence-waf.php'
Luckily, there are alternatives. There are three different methods you can use with OpenLiteSpeed:

• WebAdmin (recommended)
• Direct edit
• By virtual host

Has anyone else got Wordfence fully operational on OLS servers? If so, what method did you use to resolve the auto_prepend_file issue?

Thank you.

LordKurgan

inspiredearth Simply uninstall WordFence(bloated useless nonsense). Problem solved.

Rich

OLS does support .htaccess, but not automatic reloads as LSWS does. That said, enhance made their own reloader for .htaccess back in Jan.

Appcd 2.2.0
20th January 2024

Feature
When using the OpenLiteSpeed web server kind, Enhance will attempt to monitor document roots for .htaccess changes and automatically reload OpenLiteSpeed.

I have zero trouble with OLS and Wordfence. I don't use auto_prepend_file, on some sites I do have a php.ini but not that directive, on other sites I don't even have a php.ini.

Maybe your issue is with: public_html/wordfence-waf.php

inspiredearth

JohnB Thanks John. Much appreciated. Looking into this now.

UPDATE: So doing that has worked. Wordfence is no longer prompting me to complete the installation. The only hassel with this is it has to be manually added for every site.

I am curious @Rich why you're not having to do this on your servers. Are you not getting the complete installation message (something to that effect) at the top of the Wordfence pages?

inspiredearth

Whilst we're on this topic ... Are you getting this in all your scan results? It seems odd to me that WordFence is complaining about this user.ini file when as far as I'm aware it is WF that created the file!

Rich

inspiredearth I would say it's probably a permissions issue that's causing that message. What are the permissions? Something like 600 or maybe 644 would be better.

If I get that message I always let it complete by clicking on it. I only have one site where I've added the declarative for append file into enhance and set the exact location.

Most other sites I see it working as a relative path and it seems to be happy with that. like this:

if (file_exists(__DIR__.'/wp-content/plugins/wordfence/waf/bootstrap.php')) { define("WFWAF_LOG_PATH", __DIR__.'/wp-content/wflogs/'); include_once __DIR__.'/wp-content/plugins/wordfence/waf/bootstrap.php'; }

I also have the following in my wp-config:
define( 'WP_PLUGIN_DIR', '/var/www/00000000-0000-0000-0000-e399e8e64804/public_html/wp-content/plugins' ); define( 'WPMU_PLUGIN_DIR', '/var/www/00000000-0000-0000-0000-a55e-e399e8e64804/public_html/wp-content/mu-plugins' );

These might help, although the relative path in the wf config file seems to be fine.

I have one website where it's the full path and it is correct except for it has domain rather than UUID. Again no complaints and scans work fine.

Sorry for all the other edge cases that seem to work for me, but hope it helps.

JohnB

inspiredearth The ini complaint i've seen on other platforms. Not sure if wordfence creates it but its just warning that it could expose sensitive info. Its just coded to warn if it finds a .ini or user.ini file accessable it doesn't actually know if the contents are an issue.

inspiredearth

I am curious @Rich why you're not having to do this on your servers. Also, are you not getting the complete installation message (see below) at the top of your wp-admin? (and you didn't click Dismiss)

ivansalloum

Install the ninja firewall instead. It is better in my experience!

inspiredearth

ivansalloum Thanks for this suggestion. I'll check it out.
What is it that you prefer about Ninja Firewall?

UPDATE: I'm impressed by what I'm seeing described on the plugin page.

inspiredearth

ivansalloum Further to my previous reply ... Do you find the free version is sufficient?
I ask, because the pro version is somewhat pricey.

inspiredearth

Rich Thanks Rich.
The permissions will be whatever Enhance has set by default. I haven't altered them, and hopefully I should need to. Right?

Yes, the scans still work fine even when WF hasn't been configured to modify the .htaccess and the php append isn't working. I am assuming it's only for WF's live protection (or Web Application Firewall) that those modifications need to be in place. As per the message, "To make your site as secure as possible ..."

Regarding the appearance of that message, please refer to my above reply to John.

Rich if (file_exists(DIR.'/wp-content/plugins/wordfence/waf/bootstrap.php')) {
define("WFWAF_LOG_PATH", DIR.'/wp-content/wflogs/');
include_once DIR.'/wp-content/plugins/wordfence/waf/bootstrap.php';
}

Where are you putting this code? Into the site's .htaccess file?

Again ... thanks very much. I appreciate your input.

inspiredearth

JohnB Thanks John. As far as I can tell, that notification shows up so long as the php append is not working, because WF is unable to detect that it's fully installed. As soon as I manually add the PHP directive you suggested, the notification does away, and WF detects that it's customisations to the .htaccess file are active.

Rich

inspiredearth it's from my wordfence-waf.php file.

Yes permissions should be set correctly by enhance, thank you for sharing that the warning went away after fixing the file append. I was just assuming it might of been copied in and had wrong permissions as a possible reason.

If I've ever seen the setup warning, I've always followed it.

ivansalloum

inspiredearth I’ve always used the free version of Ninja Firewall, and it’s been enough for me. The pro version is mainly for advanced users who need more customization, but it doesn’t provide extra protection in my experience. Comparing Ninja Firewall to Wordfence, Ninja Firewall is lightweight and has a great filter that blocks threats before they even reach WordPress. Its firewall rules are updated regularly and block most threats. Wordfence, however, is too heavy and can slow down your website. Ninja Firewall also has useful features like login page lockdown, security headers, and protection against user enumeration scans. I’ve never had a site hacked with my security setup, and Wordfence never worked for me.

inspiredearth

It looks like Ninja Firewall has the same requirement as Wordfence when it comes to full WAF protection. It also states that for Openlitespeed one has to manually add the necessary VHOST (or PHP directive) settings in order to achieve that outcome. So I'm guessing there's no way around this for Wordfence or Ninja Firewall, if one wants the WAF functionality.

Andreas

I agree. I ditched Wordfence years ago. If you have cpfence or opshield running on the server, why have another running?

What does Wordfence have to offer that the server level ones do not?

twest

Andreas 2FA login, capability for users to unblock themselves via email, simple interface for users to block IPs themselves, WP specific protections like prevent php execution in uploads folder, scan plugin/theme for differences against wporg versions, etc.

Wordfence has a lot of benefits that server level programs don't cover, I wouldn't be so quick to dismiss it. I've used it for a decade as part of my standard stack and I would say it has contributed to a stellar track record of having very rare intrusions/hacks.

We use many other tools too, but I'm appreciative of WF and the role it plays to keep everyone safe 🙏

Rich

twest 100% on this, I too have been using it as part of my go to stack for nearly a decade myself.

Andreas When I have all the other layers of protection in place from CloudFlare down to server mod_sec rules etc... (WHM + CL + OSWASP Etc...) I still had a high value website take 1.8 million attacks per month, all blocked and reported by WordFence. So if the server level and edge network WAF's did there job, why would the last line of defense WordPress WAF block so much?! (It's doing it's job) enabling premium on that site showed that 90% of the attacks where coming from unknown IPs and not on their main real-time black list. Up to that point of trying premium free tier had been fine for 6 years and likely would continue to be fine.

I've tried a few other solutions and personally not liked them, Scurri might be a true contender I've not really tried that one much. I also have no need to switch since I am 100% happy with the results of Wordfence. It's never been an issue at anytime. (for me) I ignore the messages saying increased attacks etc... I am not stupid to marking hype free tier is good enough 99% of the time.

I've only have 1 website that has the paid sub, the rest 50+ are on free tier and been fine for as long as I can remember.

The only website that got hacked with it on, wasn't the WAF it was the 3rd party hosting supplier! I immediately redirected the traffic to my enhance estate with a backup copy I'd taken a couple weeks before. No issues, eventually sorted the copy out on the 3rd party a few days later, cloning my version to it, reset the DNS records to them and it was hacked within 24 hours again. (exactly same code base) I immediately took DNS back to my enhance server and there its remained so far for 18 months hack free. I will say this the 3rd party cpanel server was so over loaded that WordFence couldn't even daily or on-demand scan without failing. I would never trust or recommend that hosting to anyone... (won't mention names but there well known, running a typical cpanel setup)

So I do sleep well at night knowing it's at least 1 more layer in the onion of security and I sure as heck would't knowing there wasn't a final WAF at the WordPress (Actual Application) level installed, by at least 1 major security vendor. bitninja and all these others are minor players I doubt they'd have the same level of security, certainly not the funding, resources or R&D that Wordfence has. (There's a good reason Photoshop has the monopoly and GIMP is an after thought, Affinity Photo is just a cheap alternative by again a well funded org)

As they say each to their own, but I have very valid and legitimate cases for it being installed in my stack and that is unlikely to change anytime soon. No solution is infallible or 100% safe. But having thawed 10's millions of attacks for me its good enough.

Andreas

I have to respectfully disagree on on some of those points
(Not trying to start anything, I appreciate all you do for the community here.).

All I see is WF giving a false sense of security.
Too many times I have see clients sites hacked and they all say the say thing. "How did I get hacked. I have WF"
Too many times I find WF not finding malware on servers, that opshield or immunify finds. Even the GotMLS finds them.

If you love it, and lets you sleep at night, then great. Go for it. I find WF nothing but a disappointment.