WordPress
Prefer .htaccess auto_prepend_file when the server supports it; if php_value is unavailable, use an early entry point, usually index.php, and verify coverage.
Preferred method
On Apache with mod_php and allowed php_value, place the directive in the WordPress root .htaccess and use the absolute AWAF path.
php_value auto_prepend_file "<path_to_directory>/antibot/index.php"Coverage
AWAF loads before each PHP file in scope, including index.php, wp-login.php, admin-ajax.php, wp-cron.php, plugin callbacks, and direct legacy scripts. This is broader than adding code only to a theme or front controller.
Fallback
For PHP-FPM, CGI, Nginx-only setups, or locked .htaccess, use .user.ini, vhost/pool config, or an early project include. Avoid editing WordPress core files.
Verify
- Test home, posts, categories, search, and 404 pages.
- Test wp-login.php, wp-admin/, admin-ajax.php, /wp-json/, and wp-cron.php if used through web.
- Check forms, payments, plugin callbacks, and sitemap/XML.
- Add narrow whitelist_url rules for endpoints where captcha is not acceptable.