Wordfence just hightlight this file change

Hi,

That is a UpdraftPlus file but I recommend you check the file to see if someone has hacked your site, and added nasty code to it.

You should compare the version you have with the original.

To do that, check your current UD version.

Then download a pristine copy of that version from https://www.ads-software.com/plugins/updraftplus/advanced/.

Also copy the file from wp-content/plugins/updraftplus from your webspace to your computer (i.e. download what you’ve got installed).

Then use a tool like WinMerge or an online service to compare the two versions to see if those two files differ or not.

Best Wishes,

Ashley

my version of updraft is 1.13.11

here is screen shot of the changes…

https://prntscr.com/gtk8gk

looks like you have added a \

\t\n\r\0\x0B

you may have done this a while ago – I have my wordfence set to high sensertive…

Hi,

That change is legitimate.

Good to hear it’s legitimate! I was checking into this forum with the exact same question after seeing my own Wordfence report today. Thanks @rfollett for asking this.

Susan

Hi, As a followup to this question (I got the same warning from WordFence, BTW), was this part of the most recent update, ie 1.13.11, about a week ago?

It seems interesting (and is somewhat concerning) that WordFence took a week to find this if so. If not, was it somehow updated by Updraft since then?

Also, I see what looks like the same code (in the same screenshot as rfollett sent) where a hexadecimal value looks like it should also be \0x0B instead of \x0B (which maybe PHP is treading like a string instead of the hex value 0B). The code referenced is three lines down from the first line that changed to \0x0B.

Thank You!
Roger

Hi,

Yes these changes were added in 1.13.11

Best Wishes,

Ashley

Thanks, Ashley, but this is still not making sense. WordFence does not flag file changes that are made when a plugin gets officially updated to a new version.

I examined the file class-updraftplus.php in Updraft Plus on another of my sites that did not get flagged by WordFence (only 3 of my 10 WordPress sites were flagged for this file modification, but all my sites are using Updraft Plus version 1.13.11).

What I found is that the line that WordFence flagged:
$settings['settings'][$instance_id]['host'] = rtrim($matches[2], "/ \t\n\r\0x0B");
does not even exist in the file class-updraftplus.php of Updraft Plus 1.13.11 on all my other sites.

Shouldn’t the code be exactly the same in class-updraftplus.php in all of my installations of Updraft Plus 1.13.11? And why is this one 1.13.11 change trickling in days after the actual version update?

• This reply was modified 7 years, 1 month ago by susantau.

Relevant FAQ: https://updraftplus.com/faqs/wordfence-warning-files-inside-updraftplus-changed/

Thanks Susan for also jumping in on this and thanks David for your response.

If a change is so small that it does not warrant a new version number, then it probably can also wait for the next release. I have worked with a number of people responsible for version control on product builds & releases and I cannot think of anyone who would allow a changed file to exist with the same version number.

The FAQ makes the point saying that “WordFence assumes that a plugin will never change if its version number hasn’t changed”, which I agree is a valid assumption.

If (as the FAQ claims), the scanned file was compared to the plugin originally downloaded, what’s to prevent malicious code from changing the “copy” of the originally downloaded plugin (which presumably must exist to make such a comparison) and causing WordFence to miss malicious code changes?

The FAQ also says, “That assumption just doesn’t fit with a lot of very popular WordPress plugins.” What other popular plugins do this?

Thanks again!
Roger

I had the same waning this morning and I’d like to ask the forum moderator to please clarify: I followed WordFence’s input and restored that file to the way it was before because I did not know if my site had been hacked or not previous to finding this forum thread.

Should I now check for an update? Is it going to be common for WordFence to find false alerts within UpDraftPlus?

If a change is so small that it does not warrant a new version number, then it probably can also wait for the next release. I have worked with a number of people responsible for version control on product builds & releases and I cannot think of anyone who would allow a changed file to exist with the same version number.

This is exactly right. There’s no sane reason for having multiple variants of a product in the field with identical version numbers.