Support » Plugin: Wordfence Security - Firewall & Malware Scan » wpembed unknown file in core

  • Resolved davi8r


    Wordfence scan flagged:
    Unknown file in WordPress core: wp-includes/js/tinymce/plugins/wpembed/plugin.js
    Unknown file in WordPress core: wp-includes/js/tinymce/plugins/wpembed/plugin.min.js

    My research indicates these are legitimate files introduced in WP 4.4. For people who don’t want the feature there is a plugin, Disable Embeds by Pascal Birchler.

    My question simply is, do I need to be concerned about Wordfence flagging these files as unknown?

    — Dave

    [ No bumping please. ]

Viewing 9 replies - 1 through 9 (of 9 total)
  • I have the same alert, after the upgrade from WP 4.7.x to 4.8

    Same here after upgrading from WP 4.7 to 4.8. After I took a backup of the files I deleted them on one of my sites, and I couldn’t notice the difference, but it might not be the right way to go.

    I received this warning from Wordfence with a brand new install of Ver. 4.8
    Would be nice to know what’s going on…

    According to this ticket, this whole directory wp-includes/js/tinymce/plugins/wpembed/ was set to be removed in WordPress 4.8 update, failure to remove this directory on your website may be due to any of the followings:
    – Your hosting provider for some reason keeps old WordPress files (this is most likely on WordPress managed hosting platforms).
    – Incorrect file permissions. (less likely, I think the update would fail as a whole in this case).

    In general, removing this directory manually by connecting to your server via FTP/SFTP or any other method, then running a new scan should resolve this issue.


    I have solved the mystery of why the files and directory were installed on my installation of Ver. 4.8. I contacted my hosting provider and at first they thought maybe it was due to the image being pulled from the Installatron service but then found out that the image came from WordPress. After a test installation of another WordPress instance the files and directory were NOT installed. It seems that WordPress failed to remove the directory and files when 4.8 was released and after discovering their error, hastily removed them. I will delete the directory manually with my FTP application.

    Thank you everyone, for your helpful replies. I will remove the directory as described in wfalaa’s post. Regards,

    @wfalaa What about other files depending on tinymce such as:


    Thank you.

    These files aren’t bundled with the default WordPress installation files, take a look at the default WordPress files hosted on GitHub here to make sure! here you are a couple of suggestions regarding what to do in this case, also check this doc page regarding “Unknown file in WordPress core“.


    I just went ahead and deleted the files
    (wp-includes/js/tinymce/plugins/media/moxieplayer.swf & wp-includes/js/tinymce/skins/lightgray/fonts/tinymce.jsonspecified)
    in the second warning I received from Wordfence about unknown files in the core.

    After WordPress failed to remove the wp_embed files this post was originally about (and then rushed to delete them from the 4.8 image) I figured that they still have not done their job and prepared the image according to their docs.
    Is WordPress getting lax on doing what they say they are going to do when releasing an updated image? Well, I would have to say yes they are. Hopefully they have gotten around to doing their job because all we need is for them to get sorry and give admins yet more things to have to deal with.
    I will say again that my install of Ver. 4.8 was brand new and the day after my original post, my hosting provider did a test install from the WordPress repository and magically those wp_embed files had been removed. Good luck everyone and I urge you to file a complaint directly with WordPress and let them know someone dropped the ball.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘wpembed unknown file in core’ is closed to new replies.