Support » Plugin: Wordfence Security » False positive for core localised WordPress files

  • Resolved andyexeter

    (@andyexeter)


    Hello,

    The plugin is reporting false positives for my en_GB WordPress install for the files:

    wp-config-sample.php
    wp-includes/version.php

    It appears the plugin is using the standard en_US distro to compare files against so for example when it encounters line 37 of wp-includes/version.php in en_GB distros:

    $wp_local_package = 'en_GB';

    The plugin assumes this to be a critical issue because that line isn’t in the en_US distro

    http://wordpress.org/plugins/wordfence/

Viewing 15 replies - 1 through 15 (of 16 total)
  • Plugin Author Wordfence

    (@mmaunder)

    Thanks, can you tell me what it’s complaining about in the wp-config-sample.php file?

    Thanks.

    No problem. It’s line 72 of the wp-config-sample.php file

    The original:

    define('WPLANG', '');

    The en_GB distro:

    define('WPLANG', 'en_GB');

    Plugin Author Wordfence

    (@mmaunder)

    Thanks I’ve filed this as a bug and we’ll get it fixed for you. Thanks for the additional info.

    Regards,

    Mark
    PS: If you found this helpful, please rate Wordfence 5 stars.
    http://wordpress.org/plugins/wordfence/

    You’re welcome. 5 star rating and review posted. Excellent plugin!

    Plugin Author Wordfence

    (@mmaunder)

    Thanks Andy.

    Hi,

    This false positive actually happens probably on all non english wordpress.

    Se below the alert (on a french WP)

    Critical Problems:

    * WordPress core file modified: readme.html
    * WordPress core file modified: wp-config-sample.php
    * WordPress core file modified: wp-includes/version.php

    I guess its the same problem with the french version of wp… wordfence compares files with the english text.

    So I guess i can ignore those warning?

    If I say to always ignore this will it keep in memory what I told the plugin to ignore and look for any farther changes in the future?

    Same issue here – will this be updated?

    Actually I just got in on:

    $wp_local_package = ‘en_US’;

    line 37 of wp-includes/version.php

    Same issue here for Greek

    wp-includes/version.php

    34	*/
    35	$required_mysql_version = '5.0';
    36
    37	$wp_local_package = 'el';
    robgolbeck

    (@robgolbeck)

    Hi,

    Just chiming in, as I received the same Critical Problems warning this morning:

    wp-includes/version.php:

    $wp_local_package = 'en_CA';

    and readme.html had some text changes related to the Canadian English version.

    I also just received the same critical issue, except I’m running a US site so the local package is an empty string?

    wp-includes/version.php

    $required_mysql_version = '5.0';
    $wp_local_package = '';

    It’s also complaining about @wp_mail being commented out:

    wp-admin/includes/upgrade.php

    292	https://wordpress.org/
    293	"), $blog_url, $name, $password);
    294
    295	   //@wp_mail($email, __('New WordPress Site'), $message);
    296	}

    Wesley,

    I don’t want to put words in the mouths of the developers but the warning about @wp_mail being commented out is definitely not a false positive because you’ve changed the contents of a core file

    Regarding your issue with the $wp_local_package = ” line, I checked a wp-includes/version.php file on a US distro I manage and it doesn’t contain that variable, the bottom of the file looks like this:

    /**
     * Holds the required MySQL version
     *
     * @global string $required_mysql_version
     */
    $required_mysql_version = '5.0';

    Have you by any chance edited that file too?

    I haven’t manually edited either of these files. These warnings are coming from two brand new installs of WordPress on GoDaddy’s Managed WordPress hosting account. I literally set them up yesterday, installed Wordfence and got these warnings. Could it be that GoDaddy’s Managed WordPress distro is altering core?

    It appears to only be preventing the initial admin email from being sent out after you first install WordPress, which the nature of how GoDaddy automatically creates an admin account for you and logs you in the first time nullifies the need for the email.

    This may be a case where I just need to ignore these warnings unless further unauthorized changes take place in these files.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘False positive for core localised WordPress files’ is closed to new replies.