Title: "wordpress core file modified" question Last modified: August 30, 2016 --- # "wordpress core file modified" question * Resolved [Matthew450](https://wordpress.org/support/users/matthew450/) * (@matthew450) * [10 years, 4 months ago](https://wordpress.org/support/topic/wordpress-core-file-modified-question/) * Hi there— * About a week ago, I got an email from my WordFence account, and it said: * Critical Problems: * WordPress core file modified: wp-admin/css/press-this.min. css * WordPress core file modified: wp-admin/includes/menu.php * WordPress core file modified: wp-admin/js/dashboard.min.js * WordPress core file modified: wp- admin/menu.php * WordPress core file modified: wp-admin/network/site-themes.php* WordPress core file modified: wp-includes/css/jquery-ui-dialog-rtl.css * WordPress core file modified: wp-includes/js/mediaelement/wp-mediaelement.js Warnings: * Modified plugin file: wp-content/plugins/contact-form-7/admin/css/styles.css * Modified plugin file: wp-content/plugins/contact-form-7/admin/includes/editor. php * Modified plugin file: wp-content/plugins/contact-form-7/languages/contact- form-7-sv_SE.mo * Modified plugin file: wp-content/plugins/contact-form-7/modules/ textarea.php * Some of the changes seemed pretty meaningless: * In wp-includes/css/jquery-ui-dialog-rtl.css, there are changes like: font: normal 20px/1 dashicons; —to— font: normal 20px/1 ‘dashicons’; * In wp-includes/pomo/translations.php, there are changes like: * [@version](https://wordpress.org/support/users/version/) $Id: translations.php 1157 2015-11-20 04:30:11Z dd32 $ —to— * [@version](https://wordpress.org/support/users/version/) $Id: translations.php 718 2012-10-31 00:32:02Z nbachiyski $ —and— if ( ! class_exists(‘ NOOP_Translations’, false ) ): —to— if ( !class_exists( ‘NOOP_Translations’ )): * In Contact Form 7, some of the changes were: add_action( ‘wpcf7_admin_init’,‘ wpcf7_add_tag_generator_textarea’, 20 ); —to— if ( is_admin() ) { add_action(‘ admin_init’, ‘wpcf7_add_tag_generator_textarea’, 20 ); } * But there were some other changes (like the ones to wp-admin/menu.php) that were more extensive. It was nothing like that bloated text that’s obvious hacking— just changes/deletions to code sections. I don’t know enough about coding to see if they’re damaging/malicious, but they didn’t seem so. * I looked at the original files, and according to the “Files Last Modified” tab, the modifications to Contact Form 7 came at Friday the 18th of December at 04: 56:03, and the changes to the modifications to the WordPress core were made immediately after that, at Friday the 18th of December at 04:56:12. I’m guessing that the plugin changes and the core changes are related. That said, according to the Contact Form 7 plugin page, the last update to the plugin was made on September 17, 2015, so there was no official update to the plugin. * So—does this seem like my site has been hacked? And if so, should I select “Restore the original version of this file” for each issue, or will I need to take more drastic action and delete the whole site and upload a saved backup? There’s nothing odd or “off” about the site as of right now, but I didn’t do anything where the core files should be modified, and it’s a little alarming. * Any guidance you can provide would be very helpful! * Matt * Ps—Also, not sure if it’s relevant, but the “/languages/contact-form-7-sv_SE. mo” file had a bunch of exotic-looking characters in it; not sure if that’s normal for that sort of file, or if it’s problematic. The original file had exotic-looking characters, so I’m figuring that’s ok. * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) Viewing 1 replies (of 1 total) * [WFBrian](https://wordpress.org/support/users/wfbrian/) * (@wfbrian) * [10 years, 4 months ago](https://wordpress.org/support/topic/wordpress-core-file-modified-question/#post-6888698) * Hi Matt, * If files were changed and you didn’t do it, then you should treat the situation as a possible hack. We have a thorough document on cleaning a hacked site. I’d recommend starting there and working through the steps. * [https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/) * Thanks, Brian Viewing 1 replies (of 1 total) The topic ‘"wordpress core file modified" question’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [hacked](https://wordpress.org/support/topic-tag/hacked/) * 1 reply * 2 participants * Last reply from: [WFBrian](https://wordpress.org/support/users/wfbrian/) * Last activity: [10 years, 4 months ago](https://wordpress.org/support/topic/wordpress-core-file-modified-question/#post-6888698) * Status: resolved