Title: modified WordPress core files Last modified: February 5, 2026 --- # modified WordPress core files * Resolved [pmstudio1](https://wordpress.org/support/users/pmstudio1/) * (@pmstudio1) * [2 months ago](https://wordpress.org/support/topic/modified-wordpress-core-files/) * I’m notified by the FluentAuth plugin that WordPress core files are being modified. These relate to the Wordfence plugin. The files are : - .user.ini (new) - readme.html (deleted) - readme.abc123.html (new) ; _the abc123 part looks like a secret key_ - wordfence-waf.php (new) * I created a new install of this website without the Wordfence plugin. No issues with modified core files. After installing and activating the Wordfence plugin, these core files are modified, and I start getting notifications from FluentAuth plugin. My WP hosting is on a private host, no GoDaddy, no SiteGround or other commercial hosting provider. * I have no idea why these core files are modified , and if this is a normal behaviour. It looks suspicious , so I want to be sure that I can ignore the notifications from FluentAuth, or take immediate security actions. * Thanks in advance for clarifying this issue. Viewing 1 replies (of 1 total) * Plugin Support [wfmargaret](https://wordpress.org/support/users/wfmargaret/) * (@wfmargaret) * [2 months ago](https://wordpress.org/support/topic/modified-wordpress-core-files/#post-18811286) * Hi [@pmstudio1](https://wordpress.org/support/users/pmstudio1/), * All of the changes you’re seeing are normal Wordfence behavior. None of the changes are suspicious, and you can safely ignore the FluentAuth notifications about them. Here’s what each file is: - **wordfence-waf.php** is created when Wordfence optimizes its firewall to “ Extended Protection” mode. This file allows the Wordfence Web Application Firewall (WAF) to load before WordPress and any other plugins, which provides a higher level of protection. You can read more about this here: [https://www.wordfence.com/help/firewall/optimizing-the-firewall/](https://www.wordfence.com/help/firewall/optimizing-the-firewall/) - **.user.ini **is also part of the firewall optimization process. It tells PHP to load the wordfence-waf.php file at the very beginning of each request using the auto_prepend_file directive. This file is common on servers that don’t use .htaccess (such as NGINX). - **readme.html (deleted) and readme.[hash].html (new)** are the result of the“ Hide WordPress version” option in Wordfence. When this option is enabled, Wordfence renames the default WordPress readme.html file so that your WordPress version number isn’t publicly visible. The hash in the filename is unique to your site. You can find this setting under **Wordfence > All Options > General Wordfence Options.** For more details: [https://www.wordfence.com/help/dashboard/options/#hide-wp-version](https://www.wordfence.com/help/dashboard/options/#hide-wp-version) * Please let me know if you have any questions! * Thanks, Margaret Viewing 1 replies (of 1 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fmodified-wordpress-core-files%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 1 reply * 2 participants * Last reply from: [wfmargaret](https://wordpress.org/support/users/wfmargaret/) * Last activity: [2 months ago](https://wordpress.org/support/topic/modified-wordpress-core-files/#post-18811286) * Status: resolved