._ Unknown files in WordPress core (Version 6.1.11)

Phew, it’s not just me that is seeing this then! Thought it was a one off until I checked a second install and got the same errors.

Like you, I will await an update.

Same here! waiting for an update

Hi,

Thanks for the report. We’ll be addressing the “._” files in the next update, soon.

-Matt R

Not sure if this is related, but today I received a Wordfence alert to tons of .listing files in my WordPress core.

Siteground told me it was a known issue and nothing to worry about.

Egad, I just finished pulling off all my hair and then I found this post!
I’ll be waiting with baited breath for a resolution because right now I have over 4000 messages about what has been changed …. enough to give one apoplexy. ??

@pglove: Thanks, I’ve mentioned these to the dev team, too.

@webado: 4000 is definitely unusual — can you click the link “Email activity log” above the “Scan detailed activity” box on the Scan page, and click the Send button? (Please reply here when you’ve sent it too, so I can match your log to this post.)

-Matt R

OK Matt T, I did that. You’d have received an email from my site.

I also see this at the end of the scan:

[Jul 26 10:20:24]Preparing a new scan.Done.
[Jul 26 10:20:24]Remote scan of public facing site only available to paid membersPaid Members Only
[Jul 26 10:20:26]Check if your site is being Spamvertized is for paid members onlyPaid Members Only
[Jul 26 10:20:28]Checking if your IP is generating spam is for paid members onlyPaid Members Only
[Jul 26 10:20:30]Checking if your site is on the Google Safe Browsing list is for paid members onlyPaid Members Only
[Jul 26 10:20:32]Scanning your site for the HeartBleed vulnerabilitySecure.
[Jul 26 10:20:35]Fetching core, theme and plugin file signatures from WordfenceSuccess.
[Jul 26 10:20:36]Fetching list of known malware files from WordfenceSuccess.
[Jul 26 10:20:41]Comparing core WordPress files against originals in repositoryProblems found.
[Jul 26 10:20:41]Comparing open source themes against www.remarpro.com originalsProblems found.
[Jul 26 10:20:41]Comparing plugins against www.remarpro.com originalsProblems found.
[Jul 26 10:20:41]Scanning for known malware filesSecure.
[Jul 26 10:23:27]Check for publicly accessible configuration files, backup files and logsSecure.
[Jul 26 10:23:27]Scanning file contents for infections and vulnerabilitiesSecure.
[Jul 26 10:23:27]Scanning files for URLs in Google’s Safe Browsing ListSecure.
[Jul 26 10:48:43]Scanning posts for URLs in Google’s Safe Browsing ListSecure.
[Jul 26 10:48:44]Scanning comments for URLs in Google’s Safe Browsing ListSecure.
[Jul 26 10:48:44]Scanning for weak passwordsSecure.
[Jul 26 10:48:44]Scanning DNS for unauthorized changesSecure.
[Jul 26 10:48:45]Scanning to check available disk spaceSecure.
[Jul 26 10:48:45]Scanning for old themes, plugins and core filesSecure.
[Jul 26 10:48:45]Scanning for admin users not created through WordPressSecure.
[Jul 26 10:48:45]Scan complete. You have 4753 new issues to fix. See below.Scan Complete.

One of the warnings I am aware of as I changed manually header.php myself to add Google Analytics.

One or two others I’ve seen before but couldn’t figure out. I thought maybe they were due to changed plugins but was wondering why they get flagged.

Now it’s a flood.

Just updated to 6.1.12 and I am still getting a bunch of “unknown” files in core. The site appears fine and when I fetch it, Google’s bots see it fine, too.

Please advise.

I’ll wait then for 6.2 ??

Having done a little more digging, it appears that the files Wordfence is flagging up, for me at least, are indeed not supposed to be where they are. I did a manual comparison with a freshly downloaded copy of WordPress 4.5.3

The files in question are:

wp-includes/theme-compat/comments-popup.php
wp-includes/js/tinymce/wp-mce-help.php
wp-includes/js/tinymce/plugins/wpfullscreen/plugin.js
wp-includes/js/tinymce/plugins/wpfullscreen/plugin.min.js
wp-admin/js/wp-fullscreen.js
wp-admin/js/wp-fullscreen.min.js

So if people are seeing something similar, it might not actually be a Wordfence error. That does of course leave the question of where these files came from / what changed to put them there.

And I seem to have understood where I moofed …. I blame my mouse and Filezilla ….

I am quite ashamed and humbled …

Neilcford

I have a different set of files saying they are not where they belong, and indeed comparing them to a fresh WordPress download, they should not be where they are.

But so many of us receiving such warnings all at the same time? This is not a coincidence.

I know what I did wrong -I uploaded a lot of files to the wrong subfolder before uploading them to the correct subfolder, when I migrated the site.

I wonder if this plugin has only just started to scan for this situation with the latest version 6.1.11.

Hi all,

The “._” files and a few others were added in today’s release, version 6.1.12.

The files mentioned by @neilcford were valid files in an old version of WordPress. We suspect that one of the WordPress updates didn’t clean up all of the files that are no longer part of core.

@dwinn71: This is a new scan that was released yesterday, separate from the scan that compares core files to their originals, so that’s the reason a number of people see these at once. If you want to post your list of files found in a new post, someone can take a look.

If anyone has additional issues or questions on this, please also make a new post by clicking here, and using the form at the bottom of the page, to post the details of what you have found. Thanks!

-Matt R