Hi @synchro,
Wordfence does need to have the ability to write to the filesystem in order to maintain configuration and definition files. However, you can change the WAF log file location by defining WFWAF_LOG_PATH
in wordfence-waf.php
if the WAF will be optimized, or it can be defined in wp-config.php
if you are only running it in WordPress. If your site can’t write to the web root, you’ll also need to set up wordfence-waf.php manually.
A typical wordfence-waf.php looks like this (WFWAF_LOG_PATH
defined here can be changed to any writable location):
<?php
// Before removing this file, please verify the PHP ini setting 'auto_prepend_file' does not point to this.
if (file_exists('/var/www/html/wp-content/plugins/wordfence/waf/bootstrap.php')) {
define("WFWAF_LOG_PATH", '/var/www/html/wp-content/wflogs/');
include_once '/var/www/html/wp-content/plugins/wordfence/waf/bootstrap.php';
}
Let me know if you have any further questions or concerns!
Hi @synchro,
Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. If you have any other questions or concerns, don’t hesitate to open a new one.
I can switch write access on and off – the problem I have with wordfence is that I can set it all up and configure it all (including the WAF), and it’s happy, but if I then set it to read-only, it breaks, and actually disables the WAF. That seems entirely unnecessary – I can see that things like logging within the webroot might be a problem, but I can’t see any good reason to break in that scenario – more to the point, breaking logging is a much less serious problem than disabling the entire protection system, which is what it does at preesent.
Hi @synchro,
We have a change coming up that will prevent the Firewall from reverting to Learning Mode when it can’t write to wflogs. However, you’ll still be missing out on some protection if you do not allow writing to the wflogs folder.
Note that you can define your own location for the wflogs folder using the WFWAF_LOG_PATH constant. Then you can keep the writable folder located somewhere else.
You can find more information about the WFWAF_LOG_PATH constant here.
Thanks. I’ve implemented that and it’s now happy running read-only.