Why is WordFence warning me that files inside UpdraftPlus have changed?

There are some WordPress security plugins which will alert you if the contents of one of your plugin files changes (e.g. WordFence). This is a useful service – if unexpected changes occur, then it might mean that your site was hacked.

The way that WordFence detects this unfortunately results in lots of false positives.

The better way to perform this check would be by comparing your installed plugin with the plugin that was originally downloaded. However, WordFence compares your installed plugin with the plugin that can be downloaded today.

This is problematic, because often plugin authors make minor changes to their plugins without changing the version number. For example, when a new version of WordPress is released, they might change the indication of what version number the plugin supports. Or make a trivial change to a spelling mistake, or fix a bug that affected small numbers of people. They do this because changing the version number will cause an update to show for all users of the plugin – and if this happens too often, then users get unhappy about the number of updates they have to apply. Hence, there’s a trade-off; the plugin developer has to weigh up the relative value of the improvement or bugfix he is making and the number of users it will benefit against the costs of increasing the version number.

This is quite common (we speak from experience of maintaining very many WordPress sites + plugins); but unfortunately WordFence assumes that a plugin will never change if its version number hasn’t changed. That assumption just doesn’t fit with a lot of very popular WordPress plugins.

Of course, it’s possible that you really have been hacked; however, WordFence’s warning is only a possible indicator of this, not a definite one.

Posted in: Troubleshooting

twitterlinkedinFacebook