I observe intensively the system behavior in the interaction of vhosts, WordPress and Ninja Firewall.
Conclusion:
- To run Nina Firewall in Full WAF-Mode, the final “/” in the SetHandler declaration must be removed.
- The problem of additional and not starting non-WordPress scripts must be solved by an additional configuration file for the Ninja firewall. In my case by adding an exclude-path in .htninja:
<?php if ( strpos( $_SERVER['SCRIPT_FILENAME'], '/INSTALL-DIRECTORY/' ) !== FALSE ) { return 'ALLOW'; }
-
Every time virtualhosts.conf is regenerated, the manual changes are overwritten and NinjaFirewall falls back into the limited WordPress WAF mode. This is also pointed out in the file header.
-
So for me it is clear that I permanently need SetHandler declarations for my WordPress installations which do not have a closing “/”.
Negative effects on other functions of the webserver I could not find out if it is missing.
I can’t judge if it would be better to remove it by default for every vhost with WordPress installations or if only I need a customized standard solution.
For the latter, I would need your help.
I also thought that I could do without NinjaFirewall. But two reasons speak against it:
- a look at the LOG-files with the massive intrusion attempts
- and the scope of the firewall.
You can easily test this yourself in relation to your installations. NinTechNet: NinjaFirewall WP+ Edition