Trellis + WordFence WAF

mgargano · April 21, 2017, 12:54pm

Has anyone successfully set up the WordFence WAF with a trellis setup? Every time I deploy I get the following

strarsis · April 21, 2017, 2:45pm

The .user.ini part already works for me (it is used by PHP, not nginx).

mgargano · April 21, 2017, 7:40pm

did you have to do any configuration? It keeps asking me to set it up over and over.

strarsis · April 21, 2017, 7:44pm

It asks me that, too and I don’t know why.

mgargano · April 21, 2017, 7:46pm

How are you certain its working?

strarsis · April 21, 2017, 7:53pm

I had issues with the site when Wordfence was uninstalled but the .user.ini still in place (and wondered how this was possible because I didn’t know the .user.ini feature until then).

WordFence scan lists me some issues now:
An admin user with the username was created outside of WordPress.
WordPress core file modified: […] (lots of them)

I updated WordPress core via composer and the DB was synced from staging to production, the admin user was created by myself. Of course I want to get rid of these false positives.

devotoare · March 21, 2018, 12:46am

I know it’s really late but what I did was this:

Create/edit /site/web/.user.ini and a file called /site/config/wordfence-waf.php with these contents:

gist.github.com

https://gist.github.com/devotoare/8c96a0ea2991abc30552d5c868e1a866

.user.ini

; Wordfence WAF
auto_prepend_file = ‘/srv/www/example.com/current/config/wordfence-waf.php’
; END Wordfence WAF

wordfence-waf.php

<?php
// Before removing this file, please verify the PHP ini setting `auto_prepend_file` does not point to this.

if (file_exists('/srv/www/example.com/current/web/app/plugins/wordfence/waf/bootstrap.php')) {
        define("WFWAF_LOG_PATH", '/srv/www/example.com/logs/wflogs/');
        include_once '/srv/www/example.com/current/web/app/plugins/wordfence/waf/bootstrap.php';
}
?>

These are just the default files that WordFence creates for the WAF with paths replaced to match the trellis/bedrock scheme.

Edit:
Can’t get the formatting to work here so I just created a gist.

mZoo · April 1, 2018, 11:52pm

Are you just adding this manually on the server? Because the hostname in the path will be different in the different environments. How do you handle that?

devotoare · April 2, 2018, 12:11am

In default setup the hostname in the path is the same. So I’m not handling that. You could use environment variables to do so however.

mZoo · April 2, 2018, 12:24am

Would that just be a matter of adding a parameter like WAF_KEY to group_vars/env/wordpress_sites.yml and then referencing it in the auto_prepend_file string? How would you reference it?

I noticed that @ben had suggested that it seems odd to use Wordfence in a Trellis setup. I wonder if Fail2Ban and Ferm, plus using .env adds enough security without Wordfence.

adleviton · June 17, 2018, 8:09pm

I did something like this, adding this in a main config file (or something like functions.php). It creates .user.ini and wordfence-waf.php to keep the Wordfence “extended protection” from being reset on a new deployment. And also, I used the Wordfence constant “WFWAF_LOG_PATH” to keep their firewall files out of the trellis /releases folder, so they won’t be overwritten, and “learning mode” won’t be reset on each deployment.

/*
 * Wordfence Setup
 */
 if (!is_file($f = "$webroot_dir/.user.ini")) {
   $content = "
   ; Wordfence WAF
   auto_prepend_file = '$webroot_dir/wp/wordfence-waf.php'
   ; END Wordfence WAF
   ";
   file_put_contents($f, $content);

   $content = "
   <?php
   // Before removing this file, please verify the PHP ini setting `auto_prepend_file` does not point to this.

   if (file_exists('$webroot_dir/app/plugins/wordfence/waf/bootstrap.php')) {
     define(\"WFWAF_LOG_PATH\", '$root_dir/../../wflogs/');
     include_once '$webroot_dir/app/plugins/wordfence/waf/bootstrap.php';
   }
   ?>
   ";
   file_put_contents("$webroot_dir/wp/wordfence-waf.php", $content);
 }

ben · June 18, 2018, 12:33pm

Please use the shared folder functionality in Trellis deploys to copy over files/folders to share between deploys, similar to how the WordPress uploads folder is handled. Using a PHP file to write to another file if it doesn’t exist is not ideal

adleviton · June 18, 2018, 1:30pm

Thanks Ben, I was hoping someone might have a better approach. Are you referring to the variable project_shared_children?

robrecord · August 21, 2019, 1:02pm

Are you still using Wordfence? I am wondering the same thing but I don’t know enough about what’s installed in Trellis to be sure that I’m not missing something vital by not using Wordfence. Have had a couple of other sites hacked on shared hosting.

robrecord · August 21, 2019, 1:03pm

Were you able to get this working?

adleviton · August 21, 2019, 2:06pm

I created a simple role for Wordfence: https://github.com/adleviton/trellis-wordfence

Then to include this role, I use this code in deploy-hooks/build-after.yml:

- name: Setup Wordfence
    include_role:
      name: trellis-wordfence

So for each deploy, it copies the two files that Wordfence needs for the WAF into the latest trellis release folder.

mZoo · August 23, 2019, 9:03am

I’m not sure that Wordfence is terribly useful when using Trellis and Bedrock. I think some of the features end up being redundant. I’m no expert, though.

adleviton · September 11, 2019, 2:16pm

At the very least, Wordfence let’s me know when I need to update plugins, and I can keep an eye on user logins.

robrecord · October 18, 2019, 9:37am

I would truly love to know what overlap there is with the security hardening in Trellis; as nice as the Wordfence reminders are, they are so noisy - the brute force protection is the biggest feature for me. My sites get hammered.