Human Extended

    How to fix WordFence reporting an unscanned /.tmb/ directory

    Dave Pinch
    , , , ,

    If you use Wordfence on a WordPress site that also uses WP File Manager or a similar plugin, you may receive a warning about an unscanned /.tmb/ directory. This guide explains the root cause of the issue, and how to handle it. The alert looks something like the following:

    1 path was skipped for the malware scan due to scan settings

    Root cause

    There are two conditions that result in the alert:

    1. A plugin built with the elFinder library created a temporary folder called /.tmb/
    2. Wordfence alerted you to the existence of the folder

    In more detail:

    elFinder is an open source library that provides a web-based interface for managing files. Plugins like WP File Manager are built with elFinder to provide the file management interface.

    Internally, elFinder creates a folder called /.tmb/ to hold temporary thumbnail images. This improves performance because elFinder can load cached versions of thumbnails instead of re-generating them each time. This folder is located in the root of your WordPress installation.

    Later, Wordfence detects the existence of this new unknown folder. The folder is not part of WordPress. By default, when Wordfence encounters such a folder, it alerts you but does not scan it directly. It does not scan it directly due to potential performance and reliability issues due to the complexity of file systems. However, you can enable scanning the folder, which in this case should not cause any issues.

      Next steps

      Most likely, you do not need to be concerned. However, you should verify that your issue is the one described in this guide. There are reports of malware creating folders named /.tmb/, so you need to be sure. The overall process is basically:

      1. Scan the folder with Wordfence to be sure there is no malware
      2. Confirm the folder is not visible to the Internet to be sure there is no leakage

      Once you have done these things, you can mark the issue as resolved.

      Instructions

      1. Sign into your WordPress site with your administrator account

      2. From the side menu, go to Wordfence > Scan

      3. Scroll down to the Results Found tab

        You should see at least one issue.

      4. Locate the “skipped path” issue and click to expand

        Screenshot of a Wordfence alert that a path was skipped.

      5. Note the skipped path

        The path shown will be the full path to the /.tmb/ folder on your server. You may want to remember this path so you can delete it later.

      6. Click GO TO OPTION

        This folder is outside the main WordPress folders. By default, Wordfence does not scan folders located outside WordPress. Therefore, you need to enable scanning of this folder so you can re-scan and be sure there is no malware.

      7. Check the box Scan files outside your WordPress installation

      8. Click SAVE CHANGES near the top of the screen

      9. Click Back to scan in the upper-left (or go back to Wordfence > Scan)

      10. Click START NEW SCAN and let the scan finish

      11. Confirm the issue is no longer listed

        Once the scan is finished, the error should go away.

        If the scan finished in an acceptable amount of time without problems, then keep the option enabled. This will give you better protection. If the scan took way too long or locked up, go back and uncheck the option. The reason the option is disabled by default is because of potential performance issues. Learn more at Scan files outside your WordPress installation.

      12. Confirm the /.tmb/ folder is not accessible to the Internet

        Assuming your scan cleared the issue, you should still check whether the /.tmb/ folder is exposed to the Internet. Even if not malware, it could potentially leak private data depending on the contents of the temporary files.

        Go to yourdomain.com/.tmb/ to check whether the folder is visible. Ideally you should get a 403 or 404 error. But if you can see the folder, delete it and stop using the plugin until you can block the folder. The exact process will depend on your web server–contact your host for support.

      Reference

      License

      Licensed under CC BY 4.0

      You are free to share and adapt this content for any purpose as long as you give appropriate credit in a reasonable manner.

      No affiliate links

      We do not participate in affiliate marketing, and we are not paid to mention products.

      Leave a Reply

      Your email address will not be published. Required fields are marked *

      Having trouble?

      We can do this for you.

      We complete tasks for you. Our goal is to offload your technical labor so you can focus on business and innovation.

      $60

      per hour

      Fixed rate for all types of tasks.

      No monthly charges.

      Pay by the minute.

      Schedule a Free Consultation