Wordfence: WordPress core file modified: [...]

With latest update to WordPress 4.7.4 Wordfence reports lots of issues (100 issues).
All of them indicate that WordPress core files have been modified, some examples:

  • wp-includes/js/colorpicker.min.js
  • wp-includes/js/customize-base.min.js
  • […]
  • wp-includes/embed.php
  • […]

Even after (Trellis) re-deploying subsequent scans yield the same result.

How can I get rid of all these issues? Why does Wordfence detect a discrepancy at all?
Just ignoring them would defeat the purpose of detecting real changes.

Should probably hit up Wordfence for support. Also seems very odd to use Wordfence on a Trellis setup :eyes:

If I may ask, why is this very odd? Wordfence is a WAF that is very WordPress specific.
If there is a better way further securing a WordPress installation (on Trellis) then I would really like to know (and use) it instead. Also a Login Lockdown plugin is used on all sites to prevent brute force login attempts (a common problem).

1 Like

Without Wordfence User Enumeration is possible

1 Like

I don’t think there are WordPress specific WAFs that could be used in front of multiple WordPress sites, also each WordPress installation has to be scanned/watched individually.

There are indeed some differences between files from WordPress 4.7.4 official zip and the composer package. I created a new issue with sample file comparison:


News, see linked post:

Are there security plugins that you do recommend with Trellis or are Ferm, Fail2ban and .env pretty much do the trick?