Wordfence with PHP-FPM
Wordfence is one of the godsend plugins out there for WordPress security. It has been used by many WordPress sites because it works as advertised and a very popular security plugin out there for WordPress.
Since PHP can be run from multiple ways, it is hard for Wordfence to do this the automated way. Yes, they do tackle multiple ways of installation, but if you are running PHP-FPM (like RunCloud does) you need to add something to your config to make Wordfence work with your WordPress installation.
Web Application
For this tutorial, I will be using wordfence.runcloud.io as my Wordfence test site. I will not be going through Wordpress installation, but this is my Web Application info.

Configuring Wordfence
After you have successfully installed Wordfence plugin, you will be greeted with this message. Click “click here to configure” button to configure Wordfence.

At the bottom of the configure page (Alternate method), you will see a message to add the configuration to your php-fpm setting.

For my site, I need to add this line inside my php.ini:
auto_prepend_file = '/home/runcloud/webapps/wordfence/wordfence-waf.php'
Just leave it there, we are not going to add it inside our php.ini. But that is what we are going to use inside our php-fpm configuration.
Based on the Web Application summary that you can see above, our Web Application name is “wordfence”. What we are going to do is to locate extra php-fpm config for this Web Application. The extra configuration file will be /etc/php-extra/wordfence.conf. The config name is easy. If your Web Application name is “mywordpress”, the extra php-fpm config file will be /etc/php-extra/mywordpress.conf. If you didn’t have this file, just go to your Web Application section inside RunCloud Panel and click rebuild button to get your fpm extra configuration file.
Now open the /etc/php-extra/wordfence.conf with your preferred editor. You may use Vim, Nano or Pico, but my favorite is Nano. Once you are in there, just put the value like the line below
php_admin_value[auto_prepend_file] = /home/runcloud/webapps/wordfence/wordfence-waf.php
Don’t copy mine. Use your own value for php_admin_value[auto_prepend_file]. It should be same as what Wordfence had suggested earlier.
If your server is configured to run on OpenLiteSpeed – you’ll need to add the following code snippet to your configuration by navigating to your web application and the LiteSPeed Config tab in your RunCloud Dashboard:
phpIniOverride {
php_admin_value auto_prepend_file "/home/yourwebappuser/webapps/yourwebappname/wordfence-waf.php"
}

Once you have added that, reload your php.
systemctl reload php71rc-fpm
Depending on which php version you are using (refer to the Web Application summary), reload that php version. If you are not sure what you are doing, refer to our PHP Cheat Sheet documentation. Once you have done that, your Wordfence will start to do its job. Now you may tweak your Wordfence config for your personalized settings.

Hi guys,
thank you for the instructions, we’re using the Hybrid setup with Apache in front and NGINX behind – following your tutorial results in a HTTP Error 500.
Do the exact steps in the tutorial also apply to the hybrid version?
Thank you!
I’ve replied via support channel
Does this apply to the Hybrid setup as I would like to know this also please.
yup. applied to both native and hybrid setup
But while using Hyper mode, do we really needs to add that? Because .htaccess will get the job done.
Not sure. Im not using this plugin inside production. Just a tutorial for our customers
Cukurrr…. Aritu pakai php.ini tak lepas kot hahahaha…
Thanks for adding this for Wordfence. A business that actually delivers solutions and not empty promises. Brilliant!
Thank you steve. Hope you are enjoying our services. We have more to add. Stay tuned
No success for me. You should maybe do short YT video tutorials.
Do you get some kind of error or something?
The last part was a bit confusing, didn’t know exactly what to replace. This worked:
php_admin_value[auto_prepend_file = ‘/home/runcloud/webapps/MYWEBSITE/wordfence-waf.php’] = /home/runcloud/webapps/wordfence/wordfence-waf.php
reloaded php and things seem to work fine.
I agree that newbies such as myself could benefit from video tutorials.
Cheers.
@Admin can you please confirm if my above code is correct?
Thank you.
Not sure, but I think you should follow from tutorial above. But, if it works, why bother changing it right?
Well, I did follow the above tutorial but maybe I didn’t understood it correctly. Just wanted to be sure, that’s all.
This is a great tutorial, thank you!
The instructions could be a little clearer.
You should use this format:
php_admin_value[auto_prepend_file] = ‘/home/runcloud/webapps/mywebapp/wordfence-waf.php’
It will whitescreen your site if you don’t include single quotes
It will also whitescreen your site if Wordfence is not installed or its a fresh install!
hi admin, file permisson myapp.conf not allowed for changed.
how fix this?
@Budy: you can use chmod command to change file permission. https://www.linux.com/learn/how-manage-file-and-folder-permissions-Linux