Wordfence is identifying the .user.ini file as a security risk but it is actually something to do with Wordfence
; Wordfence WAF
auto_prepend_file = '/home/sites/3b/c/cf8cd719d2/public_html/wordfence-waf.php'
; END Wordfence WAF
Was going to edit the htaccess file with following code to solve it
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
Is this the best thing to do or is there something else I should do?
If it is the thing to do where should I add the code to bulletproof security?