Has anyone successfully set up the WordFence WAF with a trellis setup? Every time I deploy I get the following
The .user.ini part already works for me (it is used by PHP, not nginx).
did you have to do any configuration? It keeps asking me to set it up over and over.
It asks me that, too and I donât know why.
How are you certain its working?
I had issues with the site when Wordfence was uninstalled but the .user.ini still in place (and wondered how this was possible because I didnât know the .user.ini feature until then).
WordFence scan lists me some issues now:
An admin user with the username was created outside of WordPress.
WordPress core file modified: [âŚ] (lots of them)
I updated WordPress core via composer and the DB was synced from staging to production, the admin user was created by myself. Of course I want to get rid of these false positives.
I know itâs really late but what I did was this:
Create/edit /site/web/.user.ini and a file called /site/config/wordfence-waf.php with these contents:
These are just the default files that WordFence creates for the WAF with paths replaced to match the trellis/bedrock scheme.
Edit:
Canât get the formatting to work here so I just created a gist.
Are you just adding this manually on the server? Because the hostname in the path will be different in the different environments. How do you handle that?
In default setup the hostname in the path is the same. So Iâm not handling that. You could use environment variables to do so however.
Would that just be a matter of adding a parameter like WAF_KEY to group_vars/env/wordpress_sites.yml
and then referencing it in the auto_prepend_file
string? How would you reference it?
I noticed that @ben had suggested that it seems odd to use Wordfence in a Trellis setup. I wonder if Fail2Ban and Ferm, plus using .env
adds enough security without Wordfence.
I did something like this, adding this in a main config file (or something like functions.php). It creates .user.ini and wordfence-waf.php to keep the Wordfence âextended protectionâ from being reset on a new deployment. And also, I used the Wordfence constant âWFWAF_LOG_PATHâ to keep their firewall files out of the trellis /releases folder, so they wonât be overwritten, and âlearning modeâ wonât be reset on each deployment.
/*
* Wordfence Setup
*/
if (!is_file($f = "$webroot_dir/.user.ini")) {
$content = "
; Wordfence WAF
auto_prepend_file = '$webroot_dir/wp/wordfence-waf.php'
; END Wordfence WAF
";
file_put_contents($f, $content);
$content = "
<?php
// Before removing this file, please verify the PHP ini setting `auto_prepend_file` does not point to this.
if (file_exists('$webroot_dir/app/plugins/wordfence/waf/bootstrap.php')) {
define(\"WFWAF_LOG_PATH\", '$root_dir/../../wflogs/');
include_once '$webroot_dir/app/plugins/wordfence/waf/bootstrap.php';
}
?>
";
file_put_contents("$webroot_dir/wp/wordfence-waf.php", $content);
}
Please use the shared folder functionality in Trellis deploys to copy over files/folders to share between deploys, similar to how the WordPress uploads folder is handled. Using a PHP file to write to another file if it doesnât exist is not ideal
Thanks Ben, I was hoping someone might have a better approach. Are you referring to the variable project_shared_children
?
Are you still using Wordfence? I am wondering the same thing but I donât know enough about whatâs installed in Trellis to be sure that Iâm not missing something vital by not using Wordfence. Have had a couple of other sites hacked on shared hosting.
Were you able to get this working?
I created a simple role for Wordfence: https://github.com/adleviton/trellis-wordfence
Then to include this role, I use this code in deploy-hooks/build-after.yml:
- name: Setup Wordfence
include_role:
name: trellis-wordfence
So for each deploy, it copies the two files that Wordfence needs for the WAF into the latest trellis release folder.
Iâm not sure that Wordfence is terribly useful when using Trellis and Bedrock. I think some of the features end up being redundant. Iâm no expert, though.
At the very least, Wordfence letâs me know when I need to update plugins, and I can keep an eye on user logins.
I would truly love to know what overlap there is with the security hardening in Trellis; as nice as the Wordfence reminders are, they are so noisy - the brute force protection is the biggest feature for me. My sites get hammered.