WordFence blocking 3rd party PHP scripts

Ok so this was a mind bender.

Installed WordFence in the main website. Works great.

Went to use a completely different PHP script that was hosted on a different subdomain.

Nope! WordFence firewall popped up blocking the action (I was submitting a form with some URLs in it)

What the hell? How does a WordPress plugin on a separate subdomain block access to my non-WordPress PHP script?

Mind bender:



After much .htaccess and folder renaming, a grep through the code led me to the php_value “auto_prepend_file”

Yep WordFence created a file .user.ini in my root folder with this content in it:

; Wordfence WAF
auto_prepend_file = '/web/site.net/public/wordfence-waf.php'
; END Wordfence WAF

So now all my non-WordPress PHP scripts are loading the WordFence firewall.

Kinda cool that it still works, but also kinda annoying.


The fix was to remove the .user.ini file and set this php_value via .htaccess so it only applies to my WordPress installation.

Leave a Reply

Your email address will not be published.