Viewing File differences…

Sorry – the first file was wp-login.php

Add – there are a couple other files that were modified as well:

wp-includes/bookmark.php
wp-includes/ID3/getid3.lib.php

Double sorry – didn’t see the edit link.

Hello LMD99,
Those look like legit changes to me that would have happened with a WordPress update. Are you running a beta version of WordPress or something smiliar?

No – 4.4.2. It was highlighted in a Wordfence scan. And, there has been a bit of trouble with access to the domain in question. It’s all been cleared up, but still a bit paranoid – especially when I saw the results of the scan.

ˉ\_(ツ)_/ˉ

It’s a very curious situation. The code it has changed to looks like “better” code than the code it used to be. The new code does not exist in any older version of WordPress (I checked). So it’s like you somehow have a future version of WordPress that doesn’t exist yet. ??

I’m very interested in figuring this out so if you have time, what plugins do you have installed on this site?

Hello again LMD99,
I have an idea about where that code came from now. The code you have as “new” was introduced in WordPress core with 4.4. release but was then reverted due to the change breaking some other functionality. You can read a bit about it here.

I’m guessing you haven’t updated since WordPress reverted this change and the code you have is no longer available in the repo that is used to compare WordPress files against. So this is why you are getting the notification about a change. The file has not actually been changed, but the files that WordPress distribute have.

So I think we can conclude that it’s harmless.

Interesting that Wordfence classified the change as something I can’t remember exactly: “critical”?

Well you have code in your WordPress core files that does not exist in any stable release of WordPress. That could have been very bad. Security software looks for patterns that usually mean something bad is happening but sometimes they will give a “false positive”. We would rather have it warning too much than missing critical problems.

I’m setting this to “resolved” for now LMD99. I hope that’s alright with you. If you update WordPress to the latest version you will no longer get warnings about changes in core files.

I’m also finding potential issues with when scanning outside the WP environment. The scan is coming up with this file as being “malicious”: phpmyadmin/libraries/Config.class.php

“This file is a PHP executable file and contains the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. “

Are you aware of this being a false positive? Or, is this an issue?

Hello LMD99,
I checked the contents of a normal “Config.class.php” in phpMyAdmin and yes, it’s a false positive. You can choose to ignore it in future scans. I have filed this as a bug. Our internal case number is FB1715.