How identify plugin which change my core files?

  • [ Moderator note: moved to Fixing WordPress. ]

    Hi, is there any way to identify a script that changes my core files?

    This is report from Wordfence which periodically happens on my website:

    File appears to be malicious: wp-includes/registration-functions.php
Filename:                     wp-includes/registration-functions.php
File type:                    Core
Issue first detected:         1 min ago.
Severity:                     Critical
Status                        New
This file appears to be installed by a hacker to perform 
malicious activity. If you know about this file you can choose to ignore it 
to exclude it from future scans. The text we found in this file 
that matches a known malicious file is: "${"\x47\x4c\x4fB\x41\x4c\x53"}". 
The infection type is: Backdoor:PHP/kidslug.

    I still restore it to original version but in few days/weeks it is back.
    My installed plugins:

    Easy FancyBox
    ezPHP
    Fancybox
    Footer Text
    Google Analytics Dashboard for WP
    Google Photos embed
    Idea Factory
    Postman SMTP
    PWA+PHP Picasa Web Albums for WordPress
    Responsive Image Maps
    Simple Custom CSS and JS
    SQL Executioner
    UpdraftPlus – Backup/Restore
    Wordfence Security
    WP Crontrol
    WP-ServerInfo

    Thanks for advice

    • This topic was modified 7 years, 9 months ago by atiris.
    • This topic was modified 7 years, 9 months ago by Jan Dembowski.
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘How identify plugin which change my core files?’ is closed to new replies.