When are modified core files a concern?

  • Resolved brightgirl

    (@brightgirl)


    5 years, 1 month ago

    Every once in awhile, I’ll get email alerts from Wordfence that one or more core WordPress files have been modified. Often times, I’ll get the same alerts for multiple different sites at the same time concerning the same files.

    This week I keep getting alerts as follows:
    * WordPress core file modified: wp-includes/comment.php
    * WordPress core file modified: wp-includes/formatting.php

    When I look at the changes to the files, it doesn’t SEEM like anything terrible, but at the same time, I’m not a PHP guru, so it leaves some room for concern.

    I guess I would just like to understand more about these alerts. If I am the only one with access to the files and I didn’t make these changes (nor did my host), what could cause these alerts apart from a hacker? Can updates to WordPress itself cause this sort of alert but not be a cause for concern?

Viewing 2 replies - 1 through 2 (of 2 total)
  • wfdave

    (@wfdave)

    5 years, 1 month ago

    Hi @brightgirl,

    Can you copy-paste the two files, comment.php and formatting.php into https://pastebin.com/ and put the links here?

    I’d want to compare these two files with the original to see if anything malicious was added to these files.

    It might be a false positive (this does seem to happen when WordPress updates sometimes), and in that case you can safely ignore these alerts.

    Dave

    Thread Starter brightgirl

    (@brightgirl)

    5 years, 1 month ago

    Hi Dave,

    The differences were showing up on a Wordfence scan under WordPress 5.1. Updating to 5.1.1 made them go away. So it seems like it was a false positives situation (which I sort of assumed might be the case, since it happened on multiple sites in the same day).

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘When are modified core files a concern?’ is closed to new replies.