Trellis / WordFence: Maintain plugin data folder in /web/app on deploy

stuartcusackie · April 25, 2020, 9:09pm

I am using Wordfence for additional protection on my websites. It saves some data in the current/web/app/wflogs folder, and I am guessing that this data contains the current firewall settings and a list of blocked IPs.

The problem is when deploying with Trellis, this folder is lost, or at least I think it is. If this is true, then all WF firewall rules are lost on deploy. This is causing problems for me as all blocked IPs are regaining access to the website on each deploy. The Wordfence firewall takes 1 week to re-learn.

Is there a way to maintain the wflogs folder?

Thanks!

strarsis · April 25, 2020, 11:43pm

adleviton · April 26, 2020, 12:43am

Yep:

stuartcusackie · April 26, 2020, 10:21am

Thanks guys. This seems to work well. It will take a couple of weeks to truly test it but I will report back if there any issues.

I’ll add my personal installation notes here which might save somebody some time:

INSTALLING WORDFENCE WITH TRELLIS

WF needs files and folders to work: user.ini, wordfence-waf.php and /wflogs/. There is an ansible package for making this compatible with Trellis. To set up:

From trellis folder run: (use WSL with windows)

ansible-galaxy install adleviton.trellis_wordfence

Create file: deploy-hooks/build-after.yml with contents:

- name: Setup Wordfence
  include_role:
  name: adleviton.trellis_wordfence

Add entry to roles/deploy/defaults/main.yml:

deploy_build_after:
  - "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml"
  - "{{ playbook_dir }}/deploy-hooks/build-after.yml"
  # - "{{ playbook_dir }}/deploy-hooks/sites/{{ site }}-build-after.yml"

Deploy

Notes:

We should add wflogs to .gitignore
The wflogs folder now sits in the root folder, along with shared and releases.

adleviton · April 29, 2020, 3:45pm

My .gitignore file excludes wflogs/.

My /wflogs folder is actually in /srv/www/mysite.com/web/app. That’s where it’s always been by default for me, and that’s created by the Wordfence plugin.

Moving /wflogs to the shared folder would be cleaner, but adding wflogs/ to .gitignore is a pretty quick and harmless fix for right now. Not sure if I want to overcomplicate things.

I’m not sure what you mean … aren’t all ‘deploys’ considered to be ‘remote’? In any case, it would need to be run on every deploy.

stuartcusackie · April 30, 2020, 10:21am

Thank you for clearing this up and your ansible package is working great on all the websites that I have tried it on.

I’m not sure what I meant with my deployment question. I think I was worried about how your hooks would work with my local vagrant box. I believe placing the hook in a mywebsite.com-build-after.yml file would mean that it would only run on mywebsite.com and not mywebsite.test.

Thanks again!

adleviton · April 30, 2020, 4:16pm

On local, I leave Wordfence disabled, so it’s never been an issue for me. And I also never run deployments locally. But I would expect any hooks to work just as they would remotely.

stuartcusackie · April 30, 2020, 4:37pm

ah yes, of course. I was wrongly assuming that Trellis performed some kind of deployment on the provisioning of local vagrant boxes. I guess I’m not quite used to Trellis yet.

Thanks again for your help and your ansible package.

system · June 6, 2020, 9:13pm

This topic was automatically closed after 42 days. New replies are no longer allowed.