Settings to hide .user.ini in htaccess removed by WF! (LiteSpeed server)

Replies: 0

Hi,

I moved my website from OVH.com to Hostinger.com.
OVH is using Apache servers, while Hostinger is using LiteSpeed servers.

When the website was hosted by OVH, in the root folder there was a .user.ini file.
And in the .htaccess file, there was this code to block the access to .user.ini:

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF

Problem, after I moved my website to Hostinger, Wordfence displayed this message:

To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall: [CLICK HERE TO CONFIGURE]

I clicked on the button and a pop-up displayed this:

To make your site as secure as possible, the Wordfence Web Application Firewall is designed to run via a PHP setting called auto_prepend_file, which ensures it runs before any potentially vulnerable code runs.
We’ve preselected your server configuration based on our tests.

LiteSpeed/Isapi (recommended based on our tests)

Continue to complete the setup. [CONTINUE]

But this action replaces the code to block the access to .user.ini by this one:

# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/path_to_my_website/public_html/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/path_to_my_website/public_html/wordfence-waf.php'
</IfModule>

# END Wordfence WAF

Consequence, immediately after, if we run a scan, Wordfence warns that there’s a

Critical issue: Publicly accessible config, backup, or log file found: .user.ini

So what should we do?

– Delete the .user.ini file as it has become useless in this context?
Indeed, in .user.ini we find only this code:

; Wordfence WAF
auto_prepend_file = '/home/path_to_my_website/public_html/henrybordeaux/wordfence-waf.php'
; END Wordfence WAF

It looks like WF has just moved this command from .user.ini to .htaccess for LiteSpeed servers.

– Or do we need to manually set back the code to block the access to .user.ini in .htaccess?

– Or something else?

Thanks for your help!