Ok so this was a mind bender.
Installed WordFence in the main website. Works great.
Went to use a completely different PHP script that was hosted on a different subdomain.
Nope! WordFence firewall popped up blocking the action (I was submitting a form with some URLs in it)
What the hell? How does a WordPress plugin on a separate subdomain block access to my non-WordPress PHP script?
After much .htaccess and folder renaming, a grep through the code led me to the php_value “auto_prepend_file”
Yep WordFence created a file .user.ini in my root folder with this content in it:
; Wordfence WAF auto_prepend_file = '/web/site.net/public/wordfence-waf.php' ; END Wordfence WAF
So now all my non-WordPress PHP scripts are loading the WordFence firewall.
Kinda cool that it still works, but also kinda annoying.
The fix was to remove the .user.ini file and set this php_value via .htaccess so it only applies to my WordPress installation.