modified WordPress core files

  • Resolved pmstudio1

    (@pmstudio1)


    2 months ago

    I’m notified by the FluentAuth plugin that WordPress core files are being modified. These relate to the Wordfence plugin. The files are :

    • .user.ini (new)
    • readme.html (deleted)
    • readme.abc123.html (new) ; the abc123 part looks like a secret key
    • wordfence-waf.php (new)

    I created a new install of this website without the Wordfence plugin. No issues with modified core files. After installing and activating the Wordfence plugin, these core files are modified, and I start getting notifications from FluentAuth plugin. My WP hosting is on a private host, no GoDaddy, no SiteGround or other commercial hosting provider.

    I have no idea why these core files are modified , and if this is a normal behaviour. It looks suspicious , so I want to be sure that I can ignore the notifications from FluentAuth, or take immediate security actions.

    Thanks in advance for clarifying this issue.

Viewing 1 replies (of 1 total)
  • Plugin Support wfmargaret

    (@wfmargaret)

    2 months ago

    Hi @pmstudio1,

    All of the changes you’re seeing are normal Wordfence behavior. None of the changes are suspicious, and you can safely ignore the FluentAuth notifications about them. Here’s what each file is:

    • wordfence-waf.php is created when Wordfence optimizes its firewall to “Extended Protection” mode. This file allows the Wordfence Web Application Firewall (WAF) to load before WordPress and any other plugins, which provides a higher level of protection. You can read more about this here: https://www.wordfence.com/help/firewall/optimizing-the-firewall/
    • .user.ini is also part of the firewall optimization process. It tells PHP to load the wordfence-waf.php file at the very beginning of each request using the auto_prepend_file directive. This file is common on servers that don’t use .htaccess (such as NGINX).
    • readme.html (deleted) and readme.[hash].html (new) are the result of the “Hide WordPress version” option in Wordfence. When this option is enabled, Wordfence renames the default WordPress readme.html file so that your WordPress version number isn’t publicly visible. The hash in the filename is unique to your site. You can find this setting under Wordfence > All Options > General Wordfence Options. For more details: https://www.wordfence.com/help/dashboard/options/#hide-wp-version

    Please let me know if you have any questions!

    Thanks,
    Margaret

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.