Wordfence reports modified plugin file

  • Resolved WPwebbouw

    (@wpwebbouw)


    9 years, 6 months ago

    Wordfence scan reports a modified plugin file after updating Updraftplus to the newest version 1.10.1. This sure looks like a harmless issue but still it is not a false positive. There is a difference in the file that is updated and the original file in the WordPress repository that it is compared against. This could mean the readme.txt in the update comes from another source that is not synchronized with the readme.txt in the download here on https://downloads.www.ads-software.com/plugin/updraftplus.latest-stable.zip

    Here is the report from Wordfence:

    Modified plugin file: wp-content/plugins/updraftplus/readme.txt

    Filename: wp-content/plugins/updraftplus/readme.txt
    File type: Plugin
    Issue first detected: 2 mins ago.
    Severity: Warning
    Status New

    This file belongs to plugin “UpdraftPlus – Backup/Restore” version “1.10.1” and has been modified from the file that is distributed by www.ads-software.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

    https://www.ads-software.com/plugins/updraftplus/

Viewing 4 replies - 1 through 4 (of 4 total)

  • This is still an issue – 27/05/15

    Just had the notification (7/10/15) so it is still happening.

    Plugin Contributor DNutbourne

    (@dnutbourne)

    Hi,

    This is due to minor changes in the readme.txt file leading to a false positive.

    For more information on the issue, please see the following FAQ:
    https://updraftplus.com/faqs/wordfence-warning-files-inside-updraftplus-changed/

    Best Wishes,
    David

    Thread Starter WPwebbouw

    (@wpwebbouw)

    Hi David,

    I read your FAQ. It says: “The right way to perform this check would be by comparing your installed plugin with the plugin that was originally downloaded.” I seriously doubt that this would be the right way.

    Did you or any other of the Updraftplus crew discuss this with the Wordfence guys? To me it seems impossible how they could distinguish which unversioned version a user’s has installed.

    I think it would be far more easy for all parties involved if plugin publishers would stick to the rule that any change to any part of the published code means another version number. If changes are small, like the mentioning of another co-author in a readme file, then why wouldn’t you wait until the next update? Just collect those small and insignificant changes and publisch them all in the next official version. I mean, what’s the point of making changes between versions if they are small and insignificant?

    So your FAQ post does not convince me. I think making changes in a current version without changing the version number is bad practice.

    Besides, it would be an impossible job for Wordfence to keep track of all undocumented changes plugin autors publish without changing version numbers. How could they possibly do that?

    Erik

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence reports modified plugin file’ is closed to new replies.