With latest update to WordPress 4.7.4 Wordfence reports lots of issues (100 issues).
All of them indicate that WordPress core files have been modified, some examples:
wp-includes/js/colorpicker.min.js
wp-includes/js/customize-base.min.js
[…]
wp-includes/embed.php
[…]
Even after (Trellis) re-deploying subsequent scans yield the same result.
How can I get rid of all these issues? Why does Wordfence detect a discrepancy at all?
Just ignoring them would defeat the purpose of detecting real changes.
If I may ask, why is this very odd? Wordfence is a WAF that is very WordPress specific.
If there is a better way further securing a WordPress installation (on Trellis) then I would really like to know (and use) it instead. Also a Login Lockdown plugin is used on all sites to prevent brute force login attempts (a common problem).
I don’t think there are WordPress specific WAFs that could be used in front of multiple WordPress sites, also each WordPress installation has to be scanned/watched individually.
There are indeed some differences between files from WordPress 4.7.4 official zip and the composer package. I created a new issue with sample file comparison: