Configuring a WordFence Firewall for multiple AddOn Domains on GoDaddy

For any plan over Economy, GoDaddy offers the ability to host multiple sites within a single directory (also known as “AddOn Domains”).

The primary site lives at the root of the hosting directory (public_html/); all non-primary sites live within subdirectories in this same directory (e.g. public_html/addon_domain1/).

Only a single php.ini file, located in the hosting directory, will be applied. This can create problems, particularly when different sites need different configurations.

One example of this is WordFence. In order to configure the WordFence Web Application Firewall (WAF), WordFence recommends prepending the WAF to the php.ini, but following the default instructions will do so only for the primary domain.

To prepend the WAF to all domains (including AddOn Domains) we have to use the HOST directive in the php.ini:

auto_prepend_file = '/path/to/primary_domain/wordfence-waf.php'
auto_prepend_file = '/path/to/addon_domain1/wordfence-waf.php'
auto_prepend_file = '/path/to/addon_domain2/wordfence-waf.php'

The WAF file paths can be obtained via the default configuration instructions for each WordPress site being hosted. (Be sure to confirm these paths before adding them to the php.ini or you’ll get, at best, a 500 Internal Server Error on all sites. Doh!)

Once you’ve updated the php.ini, log into the primary domain’s cPanel account, kill all PHP processes, then output phpinfo() for each site and confirm the “Loaded Configuration File” matches the path for the primary site ('/path/to/primary_domain/wordfence-waf.php' in my example above).

Note: If you do this for any AddOn Domains, you need to do it for all of them.