• So after my site auto-updated to 6.2, WordFence ran an autoscan and reported no less than 57 WordPress Core files left over.

    Old WordPress core file not deleted during update: wp-includes/Requests/Cookie/Jar.php
    Type: File

    I’ve had these scan results before, but usually with 1 or 2 files. This is a whole other order of magnitude. I can bulk-delete the reported files, but am worried that WordFence may be wrong here, and that the reported files are still part of Core.

    This is a selection of the files reported:

    wp-includes/Requests/Cookie/Jar.php
    wp-includes/Requests/Auth.php
    wp-includes/Requests/Cookie.php
    wp-includes/Requests/Exception/HTTP/30x.php (multiple)
    wp-includes/Requests/Exception/HTTP/40x.php (multiple)

    All these look to me like legit WP files, and improble that a minor release like 6.2 would move or rename all of them.

    Is WordFence right here? How can I find out for myself?

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 16 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @florismk, thanks for getting in touch.

    You can see the entire list of revised files here: https://www.ads-software.com/documentation/wordpress-version/version-6-2/#list-of-files-revised

    Sometimes updates can leave files present for various reasons, but my main recommendation would be to always take a site backup before removing or repairing any files found during a scan.

    Thanks,
    Peter.

    Thread Starter Floris

    (@florismk)

    Okay, thanks Peter!

    Checking the list, I see that all the files reported as left over by Wordfence are listed as Revised. I assume Revised is something else than Deleted. I also assume that with a legit file present, there cannot be a leftover old file with the same name present.

    So does that mean that WF is mistaken in reporting these files as leftover?

    PS: Backing up before making changes is of course sound advice.

    [Automatic Translation]

    My case is very similar (pretty much the same) to the one quoted above ( @florismk ).
    Please request Wordfence Support to “confirm” or “no” if Wordfence is really wrong in this case above!!!!!
    Thanks in advance.

    [Automatic Translation]

    @wfpeter,

    Do you have an answer to my question above?
    Thanks in advance!

    Hello! I received the same message from Wordfence regarding the files on the revised list. As was asked previously, do you know whether or not Wordfence was correct in flagging these files? Also, if they weren’t removed during the WordPress update how do we safely remove them? Thank you for your help!

    I have Defender finding these 57 on 20 sites and Wordfence finding these same files 57 on 20 other sites. I don’t want to delete them if they are new, essential, but unrecognized. This thread is the only relevant page SERPs turn up.

    The word “revised” in that list above is very misleading, since the way to find out if something is actually in a version of WordPress or not is to simply download the zip file and look in it:

    https://www.ads-software.com/download

    This problem recurs with every WordPress upgrade, it seems. The most recent instance is with 6.3 and these files. They are not in the zip, you’ll notice, so Wordfence is correct.

    Old WordPress core file not removed during update: wp-includes/images/wlw/wp-comments.png
    
    * Old WordPress core file not removed during update: wp-includes/images/wlw/wp-icon.png
    
    * Old WordPress core file not removed during update: wp-includes/images/wlw/wp-watermark.png
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/byte_safe_strings.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/cast_to_int.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/error_polyfill.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random_bytes_com_dotnet.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random_bytes_dev_urandom.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random_bytes_libsodium.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random_bytes_libsodium_legacy.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random_bytes_mcrypt.php
    
    * Old WordPress core file not removed during update: wp-includes/random_compat/random_int.php
    
    * Old WordPress core file not removed during update: wp-includes/wlwmanifest.xml

    Você pode ver a lista completa de arquivos revisados ??(WordPress 6.3) aqui: https://www.ads-software.com/documentation/wordpress-version/version-6-3/#list-of-files-revised

    • This reply was modified 1 year, 1 month ago by josemario.
    • This reply was modified 1 year, 1 month ago by josemario.

    Yes, I know (that’s the link mentioned earlier but for 6.3), but the matter is not what’s been revised but rather removed. The revised list doesn’t help with that, but the download file does, since it’s easy to see what’s not there.

    [Automatic Translation]

    @bjf2000

    I agree with your reasoning!
    What I can’t understand is the purpose of the list:
    List of Files Revised ( https://www.ads-software.com/documentation/wordpress-version/version-6-3/#list-of-files-revised ).

    It’s a puzzler. I don’t get it at all, since the list includes such things as files which no longer exist and ones that haven’t been touched (at least according to date) in years.

    [Automatic Translation]

    @bjf2000,

    So the question remains…
    My WordPress 6.3.1 contains the 14 files posted by you in the above list.
    Is it safe to delete all 14 of these files highlighted by Wordfence as “Old WordPress core file not removed during update”?????

    All information that I know on this subject says yes, and that’s what I did this time. When this has happened in versions past I did the same (after checking that the files are actually not in the zip any longer).

    [Automatic Translation]

    @bjf2000,

    OK, thanks for your information!
    But it’s “strange” that Wordfence support doesn’t speak more clearly on this matter!

    spendleton8801

    (@spendleton8801)

    Basically it comes down to a big MAYBE. Vanilla WordPress may or may not include a particular file anymore, but that doesn’t necessarily mean that it is not a file still in use by a particular plugin. I suspect this is the reason why WordPress doesn’t remove any deprecated content because tracking which of the 1000s of plugins are actually using it or not using it is too great of a task. I’ve done the bulk delete recommended and its broken a site and I’ve done it and it didn’t appear to break anything. The long and short of it is that the safest way to delete possible unused legacy files is to create a staging copy of it and delete the files one by one on the staging site and test your site’s functionality. This however doesn’t guarantee that a future plugin that you install doesn’t require something you delete. My recommendation is that unless there is a known security issue with the file, leave it alone and the next time you redesign your site with a new theme install a fresh copy of everything you need.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Scan reports 57 old WordPress files left over after 6.2 upgrade – legit?’ is closed to new replies.