I did something like this, adding this in a main config file (or something like functions.php). It creates .user.ini and wordfence-waf.php to keep the Wordfence “extended protection” from being reset on a new deployment. And also, I used the Wordfence constant “WFWAF_LOG_PATH” to keep their firewall files out of the trellis /releases folder, so they won’t be overwritten, and “learning mode” won’t be reset on each deployment.
/*
* Wordfence Setup
*/
if (!is_file($f = "$webroot_dir/.user.ini")) {
$content = "
; Wordfence WAF
auto_prepend_file = '$webroot_dir/wp/wordfence-waf.php'
; END Wordfence WAF
";
file_put_contents($f, $content);
$content = "
<?php
// Before removing this file, please verify the PHP ini setting `auto_prepend_file` does not point to this.
if (file_exists('$webroot_dir/app/plugins/wordfence/waf/bootstrap.php')) {
define(\"WFWAF_LOG_PATH\", '$root_dir/../../wflogs/');
include_once '$webroot_dir/app/plugins/wordfence/waf/bootstrap.php';
}
?>
";
file_put_contents("$webroot_dir/wp/wordfence-waf.php", $content);
}