WordFence reporting file in theme as phishing

I use WordFence on my Roots sites, and today I received the following notice on one - it said the file below:


Listed a URL known for phishing. The URL is http://groks-the.info/.

Anyone have any idea on this? I have IP tables and WordFence running. Does this mean the site has been hacked?

I’ve checked a couple other sites built with Roots, and they both have this same file entry. Maybe it’s not a big deal?


Your site hasn’t been hacked. The string “groks-the.info” exists in this file: https://github.com/goinstant/tough-cookie/blob/master/public-suffix.txt and Wordfence has an issue with that.

If you don’t run grunt on your server, you don’t need to have node_modules on there. You could also lock down node_modules so that it’s not publicly accessible if you need it on the server.

I haven’t used Wordfence before, is there a way to ignore that message?

In this specific case, it’s not a big deal. That’s just a text file which happens to contain that domain. It’s a well known list actually maintained by Mozilla I believe. More info here: http://publicsuffix.org/. One of the Node modules (tough-cookie) uses it.

However, it may a good idea to keep that node_modules directory off your production servers if possible. Or deny access to it from your web server. Off the top of my head, I don’t think anything in there could cause issues. It contains JavaScript code since its all node modules, but your web server wouldn’t execute it.

Got it. Ben and Swalkinshaw - I really appreciate the feedback from the pros.

*Note to anyone else: I safely removed the node_modules folder from production as I’m not using Grunt on the actual production servers.

Just got into WordPress late last year, and decided to go with Roots. Just finished my 14th site using Roots. Love everything about it. The community was also a deciding factor early on.

Anyway, thanks again for the help.