Unknown file in WordPress core

  • Resolved cwdv

    (@cwdv)


    9 years, 8 months ago

    Hello,
    I have been using Wordfence for about a year. I recently received a Wordfence Alert email stating:

    Alert generated at Tuesday 26th of July 2016 at 10:22:42 AM
    Warnings:
    * Unknown file in WordPress core: wp-includes/js/index.php

    The contents of the file is:
    <?php
    // Silence is golden.

    I was wondering:
    Is this a valid file?

    If it is not valid, then it is a file likely left over from when my sites were hacked in January 2015. Why is Wordfence just recognizing this file now?

    Thanks for your help,
    Clint

    https://wordpress.org/plugins/wordfence/

Viewing 5 replies - 1 through 5 (of 5 total)
  • wfalaa

    (@wfalaa)

    9 years, 8 months ago

    Hi Clint,
    That’s because “Scan wp-admin and wp-includes for files not bundled with WordPress” option under (Wordfence > Options => Scans to include) was introduced since version “6.1.11”.

    This file may be added by your host or it’s just a traces of an old WordPress version, you can safely delete this file from the server.

    P.S. you can check the official WordPress files/folders from this link on GitHub.

    Thanks.

    Thread Starter cwdv

    (@cwdv)

    9 years, 7 months ago

    Hi wfalaa,
    After some research, my understanding is that the index.php file is used to prevent directory browsing for security purposes.

    When someone types http://www.sitename/wp-includes/js into a browser it would return a blank page if that directory contains the index.php file instead of listing all the directories files and folders.

    Do you have any concerns if I were to leave this file as is, or do you still recommend I delete it??

    Thanks for your help,
    Clint

    wfalaa

    (@wfalaa)

    9 years, 7 months ago

    Hi Clint,
    Actually, directory browsing/listing can be prevented on the server level, if you are using Apache server then this tutorial should be helpful.

    Regarding the index.php file you pointed to earlier, you can keep it if you like, it’s just an empty file.

    Thanks.

    Thread Starter cwdv

    (@cwdv)

    9 years, 7 months ago

    Just curious,
    Would this be implemented in the .htaccess file or the wpconfig file? Or is this a situation where you need root access to the server?

    Thanks again,
    Clint

    wfalaa

    (@wfalaa)

    9 years, 7 months ago

    No, it has nothing to do with Wordfence, it’s all about Apache sever configuration, so it should be added either in the Apache configuration file (if your server is debian-based, check this path on your server /etc/apache2/apache2.conf) or in the .htaccess file (if you have AllowOverride set to All).

    Of course you will need root access to your server to do all these kind of modifications, or simply ask your web host to do it for you.

    Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Unknown file in WordPress core’ is closed to new replies.