Activating WordFence Extended Protection

WordFence Auto Sense Firewall (images to come!)

An issue has been identified with a Wordpress Security Plugin that makes it so that it’s setup for the auto sensing Firewall will never complete the setup – offering users with a very annoying message on their dashboard about setting it up.

You can do any of these: code it out in your theme (not recommended, but this was a fix by the WordFence folks), click the Dismiss button (this won’t complete the setup but won’t bug you any more), or you can follow these instructions.

The Plugin Option requires access to a file called php.ini, on a shared server it’s pretty rare to have direct access to this, some servers allow it but the way cPanel is setup our php.ini overrides anything set in a user’s php.ini file.

That being said, with options in your php.ini in your user directory being overridden by the system we have to get creative to finish off the setup. Follow these steps to complete the setup:

1)      Log into your cPanel account by going to – if you need your username and password please have the account holder reach out to us via our Support Help Desk

2)      In cPanel, click on File Manager

WAF - Step 2

3)      In the top right corner of the screen click on the Settings button
WAF - Step 3

4)      In the bottom section of the window that pops up place a check mark beside Show Hidden Files and click Save
WAF - Step 4

5)      Now, on the left hand side click the + beside public_html
WAF - Step 5

6)      Click on the folder that your Wordpress is installed in (most of the time you can skip step 5 and just simply click on public_html, but sometimes the CMS is installed on a subdomain or in a sub folder, in my case it’s on a subdomain called wp, so I will click on the wp folder)
WAF - Step 6

7)      Leave this screen how it is, and either open a new Tab on your browser or open a new browser window

8)      Go to your WP-ADMIN dashboard by going to (if you have a subdomain it’ll be, or if it’s just a subdirectory then it’ll be

9)      Log in with an Administrator Username and Password

10)   Once logged in, in the menu on the left side of the screen look for and click on Wordfence
WAF - Step 10

11)   At the top of the screen look for this dialog:
WAF - Step 11

12)   Click on the Click here to configure button, and look for the following section (about midway through the page)
WAF - Step 12

Ignore their recommendation…it’s not accurate in the least, and with my tests it auto-selects this no matter how you have the server setup

13)   Click the drop down menu and select “Apache + suPHP” but don’t click continue just yet!
WAF - Step 13

14)   Under that drop down you will see a line of text in a grey box (don’t worry about understanding it but it will look like this: auto_prepend_file = '/home/username/public_html/subdirectory/wordfence-waf.php' Copy this text somewhere safe – like trusty old Notepad as we’ll need it in a few steps.

15)   Now, look up a few lines and click on Continue

16)   On the next screen you’ll see a “Download .htaccess” button, this will make a backup of your htaccess file so that if something goes weird you can restore it with ease…but click that button
WAF - Step 16

17)   Once it’s been clicked, the Continue button will illuminate and now you can click Continue
WAF - Step 17

18)   You will now see this message at the top of the screen…but we can ignore it
WAF - Step 18

19)   Now is where the fun begins….go back to the Window/Tab with File Manager still open (this is why I said to leave it logged in and open)

20)   In the list of files on the right, locate the .htaccess file, usually it will be at the top of the list of files under a few directories (like wp-content, wp-admin, etc.)
WAF - Step 20

21)   Right click on the icon to the left of .htaccess to see the following menu
WAF - Step 21

22)   Click on Edit, and then on the new window that pops up click on the Edit a second time
WAF - Step 22

23)   You’ll see a fair amount of information in here, most of which can be ignored…at the very top of the file you’ll want to take parts of that text that you copied from before into Notepad and put it in here.

First, copy this text here (it will be the same no matter where WP is installed, and what your username is:
php_value auto_prepend_file and paste that into the .htaccess file

In your Notepad, you will want to copy only “/home/username/public_html/subdirectory/wordfence-waf.php” (where username is your cpanel username, and subdirectory may or may not be in there, but if your Wordpress is on a subdomain or in a subdirectory you’ll want to put the directory or subdomain in place of the “subdirectory” text I’m referencing above and paste it with a leading ‘ and a trailing ‘, so if my username was support, and my domain was installed to a subdomain called WP my full line would look like this:

php_value auto_prepend_file ‘/home/support/public_html/wp/wordfence-waf.php’

24)   I could copy the above text and paste it into the .htaccess file and then click Save Changes
WAF - Step 24

25)   Then click the Close button

26)   Once you’ve done that you can go back to your Wordpress Dashboard and refresh….and voila problem solved:
WAF - Step 26

If you have any questions or concerns please let us know by opening a ticket or calling.


Was this answer helpful?

Related Articles

Why does Google say my site contains malware?

(WORK IN PROGRESS!)So you've gotten a few calls, emails, drop-in visits with some frantic current...

How do I move Wordpress from one location/domain to another?

Step 1:  Copy the entire contents of the old domain folder, which includes your entire WordPress...

How To Change Your WordPress Login URL

How To Change Your WordPress Login URL The short answer is to install, activate, and configure...

How to Prevent Brute Force Attacks on Your Wordpress Install

Unlike hacks that focus on vulnerabilities in software, a Brute Force Attack aims at being the...

How to Allow Your IP Address Access to Wordpress - htaccess

If you would like to limit access to your Wordpress Login script to only specified IP Addresses,...