diff --git a/scripts/create-php-config.sh b/scripts/create-php-config.sh
index ffdcb95..cdc0d16 100644
--- a/scripts/create-php-config.sh
+++ b/scripts/create-php-config.sh
@@ -6,14 +6,19 @@ FPM_LISTEN=${FPM_LISTEN:-/run/php-fpm/www.sock}
 
 # Determine listen directive and ownership based on socket vs TCP
 if echo "$FPM_LISTEN" | grep -q '/'; then
-  # Unix socket mode
+  # Unix socket mode (standalone — Apache and FPM in same container)
   listen_directive="$FPM_LISTEN"
   listen_owner_block="listen.owner = apache
 listen.group = apache"
+  env_block=""
 else
-  # TCP port mode
+  # TCP port mode (shared httpd — FPM in separate container)
   listen_directive="0.0.0.0:${FPM_LISTEN}"
   listen_owner_block=""
+  # Override DOCUMENT_ROOT so PHP plugins (e.g., WordFence) that use
+  # $_SERVER['DOCUMENT_ROOT'] find files at the FPM container's path,
+  # not the shared httpd's /mnt/users/ mount path.
+  env_block="env[DOCUMENT_ROOT] = /home/$user/public_html"
 fi
 
 cat <<EOF > /etc/php-fpm.d/$user.conf
@@ -46,6 +51,7 @@ request_slowlog_timeout = 3s
 php_admin_value[error_log] = /home/$user/logs/php-fpm/error.log
 php_admin_flag[log_errors] = on
 php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
+${env_block}
 
 EOF