• Resolved agreenstreet


    WordPress Version v4.9.8
    PHP v7.2.6
    Apache v2.4
    Sucuri Plugin v1.8.18

    QUESTION: What does “Local file specified” really mean?

    Having gone through multiple site cleanups with Sucuri’s malware support and WAF (Web Access Firewall) team who were great, I finally moved hosting and started from scratch, rebuilding everything from source installs, WordPress, Plugins, Database.

    Now there are no more infections and I believe that our site is clean but there is one lingering issue that I can’t find an answer to anywhere online in any support document.

    Sucuri’s WordPress Plugin dashboard home screen shows “WordPress Integrity” and indicates that “All Core WordPress Files Are Correct”. It tells me the “PHP 7.2.6” & “WordPress 4.9.8” versions and that our site is “Running on: Sucuri/Firewall”.


    It also tells me about “Local file specified” and lists a bunch of our standard web pages, that actually exist for example…

    file:// — on http://www.ourwebsite.com/
    file:// — on https://www.ourwebsite.com/
    (we currently allow mixed HTTP & HTTPS while we are switching over our Google Analytics SEO to pure HTTPS connectivity)

    file:// — on http://www.ourwebsite.com/blog/
    file:// — on http://www.ourwebsite.com/about/
    file:// — on http://www.ourwebsite.com/classes/
    file:// — on http://www.ourwebsite.com/contact/
    file:// — on http://www.ourwebsite.com/free-resources/
    file:// — on http://www.ourwebsite.com/start-a-mastermind-group/

    Additionally it tells me about two pages which on researching are ones Sucuri uses for testing in some way (?), but don’t actually exist…

    file:// — on http://www.ourwebsite.com/404javascript.js
    file:// — on http://www.ourwebsite.com/404testpage4525d2fdc

    None of these referenced files exist in the core WordPress installation or the root directory (of the WordPress installation). I have double/tripple checked that all hidden files are revealed in the directory, unless there is some way I don’t know how to uncloak hidden files? Both in cPanel file manager and regular FTP connection directory listings.

    As a database these are not true HTML pages that can exist in the WordPress root directory. So why is Sucuri plugin telling me about them and should I be concerned?

    Thanks for your help if anyone knows the answer.


Viewing 4 replies - 1 through 4 (of 4 total)
  • Hello, if anybody else comes across this issue it has been confirmed as a bug in our SiteCheck reporting and should be fixed within the next couple of weeks.


    Hi Jarret,

    Thanks for letting me know and so thoroughly investigating this issue (via the Sucuri ticketing system). I look forward to the fix and thank you to the Sucuri team and plugin developer.


    Ah HA. I have been ripping my hair trying to hunt down: [ wp-admin/LOG_FILE ] which got flagged on a client’s site in WordPress Integrity as “not an official WordPress file” But this file does not seem to exist (or is visible) in either FTP access or the Hosting Provider’s (iPage) File Manager tool.

    Hi Everyone,

    Wanted to update this thread to say the Sucuri plugin is no longer listing local files during the daily scans, it has been fixed for some weeks now.

    Thanks to the plugin developers for fixing this issue.


Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.