WordPress Core Files Modified

Hi @jakedouglas, thanks for getting in touch!

If you’re hosted with GoDaddy, we received notification today that they appear to have modified 5 WordPress core files, at least for users on its Managed WP hosting. We get these modified file results on our test sites there:

• wp-includes/class-wp-post.php
• wp-includes/class-wp-query.php
• wp-includes/meta.php
• wp-includes/post.php
• wp-includes/taxonomy.php

In Wordfence > All Options > General Options it should be possible to disable “Scan core files against repository versions for changes” if you want to stop scanning core files. Alternatively, you can use the options in the scan result itself to ignore these files. Ignoring the file “until it changes” should make it come back after some WordPress upgrades, or if GoDaddy makes additional changes (or if there are ever malicious changes).

I haven’t seen this accompanied by scan failures, so it might be worth trying to trigger a scan manually to see if that error clears up.

I hope that helps you out!
Peter.

Hello,

So in that case @wfpeter this is not an issue or something malicious on the site? I have the same problem, not sure if ignore this messages should be the correct, but I make the consult to you.

Thanks.

Yes, I’ve received notices for at least 4 or 5 of my clients. When the first one came through I told the client the site most likely was hacked. The next day I started receiving more notices, so I realized something must be going on with Godaddy. I was actually going to call them to see.

I was concerned about this same issue, and asked GoDaddy about this yesterday. They put the blame on Wordfence, and said there was no issue.

Thanks for comment that @gallery606, I was concerned about this messages of Wordfence.

Greetings!

I just got this notice on a client’s GoDaddy Managed WordPress installation. Looking at the file differences, the added code all appears to be GoDaddy related, but I can’t tell what it’s meant to accomplish. Unsure whether to clean it or if that would break the Managed WP thing they have going on.

Good Day,

There is absoluletly no reason why GoDaddy should be modifying WordPress core files without prior notification — or modifying them at all, for that matter. Poor practice! Blaming Wordfence for the issue is wrong. In fact, Wordfence did its job (kudos to Team Wordfence).

Above is one of many reasons why we switched from GoDaddy to Siteground. Couldn’t be happier. Siteground never modifies WordPress core files.

For future reference, it would be nice to know why GoDaddy chose to directly modify WordPress core files.

Cheers ??

Whatever became of this issue? I have the same 5 modified core files. I’m sure it happened on my site at the same time. I’ve watched for about a month and see no site problems. I’m waiting for tomorrow’s WP update to see if the files are again modified.

I did contact GoDaddy and they gave me the same run-around, i.e., it’s not their problem, talk to WordFence. This is aggravating, obviously.

Hi,

I am experiencing the same issue with GoDaddy managed WordPress hosting for a client who uses GoDaddy. Not only are only 5 files modified, but the version check is also showing an older version. Now, the actual latest release is 6.6.1, but the update check in WordPress or GoDaddy’s dashboard shows 6.5.5 as the latest version! shows 6.5.5 as the latest version! Any advice?

Hi @armin3000,

The solution is simple. Perform the following:

1. Update WordPress to V6.6.1 via cPanel or other tools provided by GoDaddy.
2. Flush all cache layers (theme, plugins, CDN, browser).
3. Re-run the Wordfence scanner.
4. If the 5 modified core files show up again, then confirm they were added/modified by GoDaddy. If so, then follow the instructions shared above by @wfpeter.

Note: Best to seek another host. GoDaddy should be renamed “GoSlow” (keeping it ethical).

If the above works for y’all, it would be great if @jakedouglas or @wfpeter can close this topic as “Resolved.”

Best wishes!