Hi!
When the Firewall is working it writes to those files so what you are seeing is likely the temp files created when those files are written to. I’m not sure why it would only be happening since the 9th of October. Did you enable the Wordfence Firewall recently? If not, it’s possible that we added some rule that the CSF Firewall is reacting to. I’m really curious about the file extension I don’t think I’ve ever seen that before. Is that a setting particular to your system?
Hi, thanks for getting back to me!
So Wordfence has been active on this install for nearly a year now, and I’ve not touched any settings in months. I do have my plugins set to update automatically overnight if a newer version is available, so I assumed (rightly or wrongly) that an update had changed some behaviour.
My Wordfence config is pretty vanilla, so I don’t think it’s anything I’ve enabled. Should Wordfence even want to use /tmp, instead of it’s own tmp dir?
Here’s a small sample of some of the files in /tmp
attack.tmp.104qOG
attack.tmp.114pcP
attack.tmp.1167wn
attack.tmp.130SRv
attack.tmp.14uo6x
attack.tmp.15SuNg
attack.tmp.17ve3z
attack.tmp.18xIGH
attack.tmp.198Hpk
attack.tmp.1AazTu
config.tmp.zXk7lp
config.tmp.zxqKVl
config.tmp.Zxqy06
config.tmp.zXt8mt
config.tmp.zxTZvn
config.tmp.Zxy3ab
config.tmp.zy2b29
config.tmp.ZY7J6z
config.tmp.zyazvt
config.tmp.ZycZgW
Currently there are now none of these files in wp-content/plugins/wordfence/tmp
Thanks!
Hi again!
Okay so the temp files get random file extensions. That explains that.
The reason Wordfence uses the temp directory on your server is that the Wordfence Firewall needs to write to files. The reason it needs to do this is that it loads before all other PHP code on your server and at that point there is not yet a connection to your database. So in order for the Firewall to have any memory at all it needs to save things directly to file. Any writing to file will create files in your servers temp directory. So if you want to run the Firewall there isn’t really a way around it.
Is this the additional Firewall you are using?
https://configserver.com/cp/csf.html
Sure, I’ve no issues with Wordfence using /tmp if it’s necessary, but I just find it odd that the behaviour has changed recently.
Yes, that’s what I’m using (and LFD which generates the emails is part of CSF).
Thanks! I suspect it started happening now either because of new rules added to CSF Firewall or new rules added to Wordfence Firewall. I’ll notify our devs just in case they want to make any adjustments.