Wordpress Wordfence .user.ini / auto_append_file

Hi All,

I use wordfence to protect my wordpress site.
One of the functions is It checks the code before executing it.
It does this by appending a file called .user.ini.

In litespeed enterprise it just picks up the .user.ini file and wordfence works.

in OLS it didnt pick the file up so i put in a "context" a php override: php_value auto_append_file "/usr/local/lsws/www/wordpress/.user.ini"

When i check my php info i can see that the local value is as expected - but it seems its not actually following whats inside the file. [which is auto_prepend_file = '/usr/local/lsws/www/wordpress/wordfence-waf.php']

Has anyone got wordfence to work on OLS with the full firewall?

I was using append instead of prepend when putting in php.ini:

auto_prepend_file = "/usr/local/lsws/www/wordpress/wordfence-waf.php"
hey, I use OLS directly without cyberpanel - try:
php_value auto_prepend_file "/usr/local/lsws/www/wordpress/wordfence-waf.php". make sure you're directory is right tho.
have you checked this ?


after you made change, run pkill lsphp to kill php process and check phpinfo and wordfence
I'm using CyberPanel, I don't have access to LiteSpeed WebAdmin through it because it is blocked by default by the Firewall (7080 port).

In CyberPanel WebAdmin I can edit the PHP settings (in PHP->Edit PHP Configs) and after that restart LiteSpeed (in Server Status -> Service Status).
Using phpinfo() on my website, the configuration shows that it has been changed correctly auto_prepend_file, but it still doesn't work.

I'm using CyberPanel 1.9 with CentOS 7 and LiteSpeed Enterprise.
if you are using enterprise , then discard that link , and check this

I'm not using WordFence, but a WAF by HackerSec: https://waf.hackersec.com/.

This link did not help me. I tested these configurations.

This is my htaccess configuration:

### Rewrite Rules Added by CyberPanel Rewrite Rule Generator

RewriteEngine On
RewriteCond %{HTTPS}  !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

### End CyberPanel Generated Rules.

### Secure Headers
Header set X-Frame-Options DENY

Header set X-XSS-Protection "1; mode=block"

Header set X-Content-Type-Options "nosniff"

Header always set  Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload" env=HTTPS

Header set Content-Security-Policy default-src 'none'; img-src 'self'; style-src 'self'; script-src 'strict-dynamic' 'nonce-c2xheWVydGVjaA' 'self' 'unsafe-inline' 'unsafe-eval' https:; font-src 'self'; object-src 'none'; base-uri 'none'; form-action 'self'; block-all-mixed-content; frame-ancestors; report-uri https://slayertech.report-uri.com/r/d/csp/reportOnly;

Header set Referrer-Policy "same-origin"

Header set Feature-Policy "geolocation 'self'; vibrate 'none'"

Header always set Expect-CT: max-age=0, report-uri="https://slayertech.report-uri.com/r/d/ct/reportOnly"
### End Secure Headers
Last edited:



The header set won't work , you need to use OLS context to generate those header

but I don't see this htaccess content has any ini append ?