With latest update to WordPress 4.7.4 Wordfence reports lots of issues (100 issues).
All of them indicate that WordPress core files have been modified, some examples:
Even after (Trellis) re-deploying subsequent scans yield the same result.
How can I get rid of all these issues? Why does Wordfence detect a discrepancy at all?
Just ignoring them would defeat the purpose of detecting real changes.
Should probably hit up Wordfence for support. Also seems very odd to use Wordfence on a Trellis setup
If I may ask, why is this very odd? Wordfence is a WAF that is very WordPress specific.
If there is a better way further securing a WordPress installation (on Trellis) then I would really like to know (and use) it instead. Also a Login Lockdown plugin is used on all sites to prevent brute force login attempts (a common problem).
Without Wordfence User Enumeration is possible
I don’t think there are WordPress specific WAFs that could be used in front of multiple WordPress sites, also each WordPress installation has to be scanned/watched individually.
There are indeed some differences between files from WordPress 4.7.4 official zip and the composer package. I created a new issue with sample file comparison:
News, see linked post:
Are there security plugins that you do recommend with Trellis or are Ferm, Fail2ban and
.env pretty much do the trick?