WordPress core files modified

  • Resolved MarkMadeDesign

    (@markmadedesign)


    6 years, 5 months ago

    Getting some strange errors over some core WP files being modified. Network Solutions support said I should change them back to what they were but I’m a little hesitant to do so. Any ideas on these below and should I hit “Repair” in Wordfence? Or is it malware?

    WordPress core file modified: wp-admin/includes/update.php
    WordPress core file modified: wp-includes/http.php
    WordPress core file modified: wp-includes/update.php

    In this “update.php” example here are the differences noted by Wordfence.

    $url = $http_url = 'https://api.www.ads-software.com/core/checksums/1.0/?' . http_build_query( compact( 'version', 'locale' ), null, '&' );

    …was modified to…

    $url = $http_url = 'https://atl4.violin.web.com/services/wpplat/getchecksum?' . http_build_query( compact( 'version', 'locale' ), null, '&' );

    Also, not sure its related, but I took a month off from this WordPress project and when I returned to it I noticed some of the page content was hidden from the front-end, but still intact in the WP back end, when it was appearing just fine when I was last working on this project. This prompted me to install / scan with Wordfence and find these errors. In case these core file changes are affecting this page content (<?php the_content(); ?> in my theme code). Example link below.

    https://spaindifference.com/our-people/ – content under title not showing

    This site is hosted via Network Solutions “WordPress hosting”, in case that matters. Thanks in advance to any help or insight that can be provided.

Viewing 7 replies - 1 through 7 (of 7 total)

  • Hi @markmadedesign!
    That change struck me as odd initially but when doing a lookup on your domain spaindifference.com the owner of the network shows up as Web.com, Inc. Your WordPress API URL was changed to violin.web.com so therefore I suspect this change may have been made by your host? It seems strange that they wouldn’t be aware of it though.

    I would recommend you download the affected files so you have a record of what changed in them, then I’d recommend you reach out to your host and ask what atl4.violin.web.com/services/wpplat/getchecksum is and if they’ve recently implemented some customization of the WordPress update functions on your site.

    Thread Starter MarkMadeDesign

    (@markmadedesign)

    Thank you so much! I too thought it might have something to do with the hosting based on some research I did find. I will download those files as a record and reach out to my hosting based on your feedback.

    Thread Starter MarkMadeDesign

    (@markmadedesign)

    Hi wfasa,

    It sounds like that web.com link that was inserted in the core files does not ring a bell to hosting support and they said their system does not automatically change file names like that. So there’s a chance it could be malware but they said to try and correct those files to what they were. Or to remove those files and “re-install” (WordPress I assume they meant, which I’ve never re-installed before). I would also change my passwords too. Here’s a screenshot below to the Wordfence alert.

    https://cl.ly/0dd2dba5e3a7

    Would you recommend the same? Something else?

    Hi @markmadedesign,
    I would recommend you demand that your webhost explains what https://atl4.violin.web.com/services/wpplat/getchecksum is. It’s their domain. They are literally hosting that. They need to go look and find out what it is. (Network solutions is owned by web.com).

    Hi @markmadedesign,

    It sounds like the issue is caused by your hosting provider. I would recommend asking them for an explanation.

    I’ve gone ahead and marked this thread as resolved. Feel free to open another thread if you’re still having issues with Wordfence.

    Thanks!

    //@wp_mail($email, __(‘New WordPress Site’), $message);

    These two // forward slashes were added to my upgrade.php file.

    What should I do?

    @zulumoongondolas,
    Have you checked with your hosting provider if they made that change?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WordPress core files modified’ is closed to new replies.