WordPress.org

Resolved Synchro
(@synchro)

6 years, 1 month ago

I normally run all my WordPress installations as read-only, with no web ownership, so that neither WordPress nor the web server can write files, though it can still write to the DB. For the most part this is quite usable (e.g. I can still create posts, pages etc) and provides significant protection against many unknown vulns. However Wordfence isn’t happy to run this way, reporting “The Wordfence Web Application Firewall cannot run”. As far as I can see, all it’s actually complaining about is that it can’t write to the log file, which isn’t the same as not being able to run. So, I have two questions:

1. Can Wordfence be made to run correctly in such an environment?
2. Can the WAF log file be moved out of the web root to somewhere that I can allow it to write, but not be accessible via the web?

Viewing 5 replies - 1 through 5 (of 5 total)

wfchar
(@wfchar)

6 years, 1 month ago
Hi @synchro,

Wordfence does need to have the ability to write to the filesystem in order to maintain configuration and definition files. However, you can change the WAF log file location by defining WFWAF_LOG_PATH in wordfence-waf.php if the WAF will be optimized, or it can be defined in wp-config.php if you are only running it in WordPress. If your site can’t write to the web root, you’ll also need to set up wordfence-waf.php manually.

A typical wordfence-waf.php looks like this (WFWAF_LOG_PATH defined here can be changed to any writable location):
```
<?php
// Before removing this file, please verify the PHP ini setting 'auto_prepend_file' does not point to this.

if (file_exists('/var/www/html/wp-content/plugins/wordfence/waf/bootstrap.php')) {
        define("WFWAF_LOG_PATH", '/var/www/html/wp-content/wflogs/');
        include_once '/var/www/html/wp-content/plugins/wordfence/waf/bootstrap.php';
}
```
Let me know if you have any further questions or concerns!
wfasa
(@wfasa)

6 years ago

Hi @synchro,
Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. If you have any other questions or concerns, don’t hesitate to open a new one.

Thread Starter Synchro
(@synchro)

6 years ago

I can switch write access on and off – the problem I have with wordfence is that I can set it all up and configure it all (including the WAF), and it’s happy, but if I then set it to read-only, it breaks, and actually disables the WAF. That seems entirely unnecessary – I can see that things like logging within the webroot might be a problem, but I can’t see any good reason to break in that scenario – more to the point, breaking logging is a much less serious problem than disabling the entire protection system, which is what it does at preesent.

wfasa
(@wfasa)

5 years, 11 months ago

Hi @synchro,
We have a change coming up that will prevent the Firewall from reverting to Learning Mode when it can’t write to wflogs. However, you’ll still be missing out on some protection if you do not allow writing to the wflogs folder.

Note that you can define your own location for the wflogs folder using the WFWAF_LOG_PATH constant. Then you can keep the writable folder located somewhere else.

You can find more information about the WFWAF_LOG_PATH constant here.

Thread Starter Synchro
(@synchro)

5 years, 11 months ago

Thanks. I’ve implemented that and it’s now happy running read-only.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Wordfence WAF won’t run on a read-only system’ is closed to new replies.