Using Wordfence to analyze changes in your WordPress files

Introduction

Wordfence is unique among security plugins because it checks the integrity of your WordPress core files, your theme files and your plugin files against what is stored in the WordPress repository.

Some plugins claim to be “theme integrity checkers” but in fact they simply keep a record of the current state of your files and then let you know if anything changes. So if you’re already infected when you install these plugins, they will never alert you.

Instead, what Wordfence does is we generate a list of numbers (hashes) that represent your files. Then we compare those hashes with what we have on file in our data center in Seattle. In our data center, we maintain pristine original versions of all versions of WordPress every released along with every open source theme and plugin ever released for WordPress.

Once we’ve done this comparison, we let you know which files in your core WordPress installation, your themes and your plugins have changed.

This guide exists to try to help you understand what you’re seeing when you see certain files have changed.

How to see files changes

When Wordfence lets you know a file has changed, you can do the following:

I’m seeing a lot of files in a theme or plugin have changed. But when I choose to see the changes, it doesn’t look infected. What should I do?

This problem exists with about 1 in every 20 plugins. It is caused by the plugin or theme developer not following WordPress guidelines on version control. When a developer releases a new version, they must create a “tag” with that version number in the plugin or theme repository. This is a full copy of the version of the plugin or theme they are releasing. Files in this “tag” never change.

Instead what we sometimes see is that the developer is constantly adding new code to their plugin or theme without increasing the version number and without creating a new “tag”. That means that for version 2.4.8 of plugin XYZ you will have an older version than the version 2.4.8 which is in the repository and your WordPress installation will never alert you to upgrade. The only way to upgrade broken plugins like this is to uninstall the plugin, remove it’s files and reinstall it.

Personally we prefer to simply remove plugins that don’t follow the official WordPress guidelines for plugin and theme developers. So if you see a plugin who’s files are constantly changing and the version stays the same, you should consider removing it.

I’m seeing some WordPress core files that have changed with text like //silence is golden and a “?>” without quotes. What should I do?

These files are old files from a 2.X version of WordPress. Your upgrade process for some reason did not upgrade these files to the newer version. You can safely replace these files with the newer version of index.php without the “?>” at the end.

Some of my plugins and theme files have changed and when I view the file I see a lot of garbage characters. What should I do?

This is always a very bad sign. It almost always means you’re infected and that you should repair this file. Make sure you “view changes” and see what has changed. If you’re unsure, ask on our forums.

Conclusion

I hope you now have a better understanding of this powerful feature of Wordfence. I’m leaving comments open on this page, so please post any additional data you feel may help other users enjoy a safe WordPress experience.