This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Publishing wordpress site through webserver protection strips every design, features and graphic display

I've created a wordpress site that's working fine on internal network. Through webserver protection I want publish it publicly and used the setup articles for that in teh knowledge based. Everything seems to work, except for one big problem: It is published and displayed in test only. All designs, featurs, headers, etc. are stripped. So it is unusable for the public.

Any ideas what can cause this? Must be something in the UTM, because on internal network the website is working and looking fine.

This thread was automatically locked due to age.
  • Maybe WordPress is using absolute URLs for CSS and stuff? Check the page source delivered by WAF! If you spot the hostname of your internal server you have to enable HTML rewriting in the advanced section of your virtual web server. Note that you need a DNS host object for the real webserver to make HTML rewriting work. A simple host object won't do.
  • Hi, that helped a lot. Especially the creation of a DNS host. Didn't know about that and I just created a normal network host.

    The only thing I can see going wrong now is that pictures on the website in woocommerce for products are not showing at all and icons I use in icon grid boxes (using the Kallyas theme) or exchanged for totally different other icons. Never seen that before.

    On the internal network everything is looking as it should, so I guess there is another setting that has to be changed in the WAF. Any ideas??
  • That also happens when I completely disable any form of protection (I have a profile "No Protection) and only Rewrite HTML, Rewrite cookies and Pass host header are enabled.
  • Maybe your website is with https? So the URL of the files/images may be wrong.

    When i was using wordpress with WAF , i had to edit the .htaccess file (apache webserver) to fix this.

    I had to edit the .htaccess file because of 2 things:

    -Wordpress cannot get the real IP of the user, it just get the IP of the Sophos WAF (in short: no analysing based on ip)

    -https wasn't working for some pages/files.

    Here is what i put in the .htaccess file:

    // Use X-Forwarded-For HTTP Header to Get Visitor's Real IP Address

    if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {

    $http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );

    $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];


    // Important for HTTPS with Reverse Proxy (WAF) !!!!

    define('FORCE_SSL_ADMIN', true);

    if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')


  • Can you check the image links in the HTML delivered by WAF and see if they look OK? Maybe compare them to the HTML delivered by your real web server internally and see if there's a difference other than the hostname exchanged by HTML rewriting?
  • Hi,

    Thanks. I tried this by putting the lines in the .htaccess file in the main website directory. After that I got an Internal Server 500 error.
  • If I could I would, but I have no idea how to do this.
  • You get the HTML page source with Ctrl-U in most browsers.
  • Ok, tried this and the links look ok.

    I'm going to stop this setup now. The website itself is ready to go live for more then a week now. It's the webserver protection module that's giving me troubles. Even started an official support request with Sophos, but they don't seem to know what to do with this either. So, I'm giving up this path.

    I'm going to migrate this website to a VPS I'm hiring with a hosting provider and set it up there. A lot less hassle and problems. I need to have this site up for a customer by tomorrow, so no time to waist anymore.

    A bit disappointed in Sophos, though :-(
  • doesn't work for me here also ...

    Please review Sophos!