Suspected malware warning resulting from Wordfence blocks in .htaccess

  • Resolved jdnn

    (@habannah)


    9 years, 2 months ago

    Hi there,

    I have a couple of WordPress sites (B & C) which are installed in sub-directories of another WP site (A). I ran scans on all three sites this morning. Everything was fine for B & C, but when I scanned A, it returned high-severity issues identifying suspected malware URLs in the .htaccess files of sites B & C. When I viewed the files, the offending URL is an IP address I blocked using Wordfence.

    The error message:

    File contains suspected malware URL: /B/.htaccess

    Filename: B/.htaccess
    Bad URL: http://82.118.18.238/

    The relevant section from .htaccess:

    #WFIPBLOCKS – Do not remove this line. Disable Web Caching in Wordfence to remove this data.
    Order Deny,Allow
    Deny from 82.118.18.238

    So, does blocking an IP address with Wordfence actually create a URL? Or can I safely click “Ignore this issue until the file changes”? Also, why would the scans I performed on the sites installed in subdirectories not detect this issue? I now suspect that scans for site A don’t cover A’s .htaccess file. I’m not sure if that’s good or bad… Some advice/info would be appreciated!

    Thanks 🙂

    https://wordpress.org/plugins/wordfence/

Viewing 2 replies - 1 through 2 (of 2 total)
  • WFSupport

    (@wfsupport)

    9 years, 1 month ago

    If I understand you correctly you have a wordpress site domainA.com. Inside this folder, along with the usual wordpres stuff you have a folder called domainB.com and it has a wordpress site in it. DomainA.com also has a folder called domainC.com which has yet another wordpress site installed in it. And you have wordfence running on each installed wordpress instance for a total of three, correct?

    If the above is correct, and you have the option checked to “Scan files outside your WordPress installation”, it will scan those folders along with your usual wordpress stuff. It sees the htaccess files as something else it has to scan and reports the ip addresses because they are probably on the google un-safe browsing list. Domains B and C don’t report on them because wordfence in those folders expect that the htaccess file probably has some blocking going on in it.

    In summary, you can ignore the file until it changes.

    Let me know if I misunderstood anything by reopening the case and adding the details.

    Thanks!
    tim

    Thread Starter jdnn

    (@habannah)

    9 years, 1 month ago

    Thanks for your help, Tim!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Suspected malware warning resulting from Wordfence blocks in .htaccess’ is closed to new replies.