Trellis + WordFence WAF

Has anyone successfully set up the WordFence WAF with a trellis setup? Every time I deploy I get the following


The .user.ini part already works for me (it is used by PHP, not nginx).

did you have to do any configuration? It keeps asking me to set it up over and over.

It asks me that, too and I don’t know why. :confused:

How are you certain its working?

I had issues with the site when Wordfence was uninstalled but the .user.ini still in place (and wondered how this was possible because I didn’t know the .user.ini feature until then).

WordFence scan lists me some issues now:
An admin user with the username was created outside of WordPress.
WordPress core file modified: […] (lots of them)

I updated WordPress core via composer and the DB was synced from staging to production, the admin user was created by myself. Of course I want to get rid of these false positives.

1 Like

I know it’s really late but what I did was this:

Create/edit /site/web/.user.ini and a file called /site/config/wordfence-waf.php with these contents:

These are just the default files that WordFence creates for the WAF with paths replaced to match the trellis/bedrock scheme.

Can’t get the formatting to work here so I just created a gist.

1 Like

Are you just adding this manually on the server? Because the hostname in the path will be different in the different environments. How do you handle that?

In default setup the hostname in the path is the same. So I’m not handling that. You could use environment variables to do so however.

Would that just be a matter of adding a parameter like WAF_KEY to group_vars/env/wordpress_sites.yml and then referencing it in the auto_prepend_file string? How would you reference it?

I noticed that @ben had suggested that it seems odd to use Wordfence in a Trellis setup. I wonder if Fail2Ban and Ferm, plus using .env adds enough security without Wordfence.

1 Like

I did something like this, adding this in a main config file (or something like functions.php). It creates .user.ini and wordfence-waf.php to keep the Wordfence “extended protection” from being reset on a new deployment. And also, I used the Wordfence constant “WFWAF_LOG_PATH” to keep their firewall files out of the trellis /releases folder, so they won’t be overwritten, and “learning mode” won’t be reset on each deployment.

 * Wordfence Setup
 if (!is_file($f = "$webroot_dir/.user.ini")) {
   $content = "
   ; Wordfence WAF
   auto_prepend_file = '$webroot_dir/wp/wordfence-waf.php'
   ; END Wordfence WAF
   file_put_contents($f, $content);

   $content = "
   // Before removing this file, please verify the PHP ini setting `auto_prepend_file` does not point to this.

   if (file_exists('$webroot_dir/app/plugins/wordfence/waf/bootstrap.php')) {
     define(\"WFWAF_LOG_PATH\", '$root_dir/../../wflogs/');
     include_once '$webroot_dir/app/plugins/wordfence/waf/bootstrap.php';
   file_put_contents("$webroot_dir/wp/wordfence-waf.php", $content);

Please use the shared folder functionality in Trellis deploys to copy over files/folders to share between deploys, similar to how the WordPress uploads folder is handled. Using a PHP file to write to another file if it doesn’t exist is not ideal :slight_smile:

1 Like

Thanks Ben, I was hoping someone might have a better approach. Are you referring to the variable project_shared_children?

1 Like

Are you still using Wordfence? I am wondering the same thing but I don’t know enough about what’s installed in Trellis to be sure that I’m not missing something vital by not using Wordfence. Have had a couple of other sites hacked on shared hosting.

Were you able to get this working?

I created a simple role for Wordfence:

Then to include this role, I use this code in deploy-hooks/build-after.yml:

- name: Setup Wordfence
      name: trellis-wordfence

So for each deploy, it copies the two files that Wordfence needs for the WAF into the latest trellis release folder.


I’m not sure that Wordfence is terribly useful when using Trellis and Bedrock. I think some of the features end up being redundant. I’m no expert, though.

At the very least, Wordfence let’s me know when I need to update plugins, and I can keep an eye on user logins.

I would truly love to know what overlap there is with the security hardening in Trellis; as nice as the Wordfence reminders are, they are so noisy - the brute force protection is the biggest feature for me. My sites get hammered.

1 Like