Title: Viewing File differences&#8230;
Last modified: August 31, 2016

---

# Viewing File differences…

 *  Resolved [LMD99](https://wordpress.org/support/users/lmd99/)
 * (@lmd99)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/)
 * After a scan, I notice a couple of core files that were modified relatively recently
   and that I didn’t make the change.
 * below I show the changed lines of code…
 * Original version:
 * <form name=”registerform” id=”registerform” action=”<?php echo esc_url( site_url(‘
   wp-login.php?action=register’, ‘login_post’ ) ); ?>” method=”post” novalidate
   =”novalidate”>
 * <form name=”loginform” id=”loginform” action=”<?php echo esc_url( site_url( ‘
   wp-login.php’, ‘login_post’ ) ); ?>” method=”post”>
 * Modified version:
 * <form name=”registerform” id=”registerform” action=”<?php echo esc_url( wp_registration_url());?
   >” method=”post” novalidate=”novalidate”>
 * <form name=”loginform” id=”loginform” action=”<?php echo esc_url( wp_login_url());?
   >” method=”post”>
 * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/)

Viewing 10 replies - 1 through 10 (of 10 total)

 *  Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/)
 * (@lmd99)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321731)
 * Sorry – the first file was wp-login.php
 * Add – there are a couple other files that were modified as well:
 * wp-includes/bookmark.php
    wp-includes/ID3/getid3.lib.php
 * Double sorry – didn’t see the edit link.
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321772)
 * Hello LMD99,
    Those look like legit changes to me that would have happened with
   a WordPress update. Are you running a beta version of WordPress or something 
   smiliar?
 *  Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/)
 * (@lmd99)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321784)
 * No – 4.4.2. It was highlighted in a Wordfence scan. And, there has been a bit
   of trouble with access to the domain in question. It’s all been cleared up, but
   still a bit paranoid – especially when I saw the results of the scan.
 * ¯\_(ツ)_/¯
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321791)
 * It’s a very curious situation. The code it has changed to looks like “better”
   code than the code it used to be. The new code does not exist in any older version
   of WordPress (I checked). So it’s like you somehow have a future version of WordPress
   that doesn’t exist yet. 🙂
 * I’m very interested in figuring this out so if you have time, what plugins do
   you have installed on this site?
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321793)
 * Hello again LMD99,
    I have an idea about where that code came from now. The code
   you have as “new” was introduced in WordPress core with 4.4. release but was 
   then reverted due to the change breaking some other functionality. You can read
   a bit about it [here](https://core.trac.wordpress.org/ticket/34925#comment:6).
 * I’m guessing you haven’t updated since WordPress reverted this change and the
   code you have is no longer available in the repo that is used to compare WordPress
   files against. So this is why you are getting the notification about a change.
   The file has not actually been changed, but the files that WordPress distribute
   have.
 * So I think we can conclude that it’s harmless.
 *  Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/)
 * (@lmd99)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321799)
 * Interesting that Wordfence classified the change as something I can’t remember
   exactly: “critical”?
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321820)
 * Well you have code in your WordPress core files that does not exist in any stable
   release of WordPress. That could have been very bad. Security software looks 
   for patterns that usually mean something bad is happening but sometimes they 
   will give a “false positive”. We would rather have it warning too much than missing
   critical problems.
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321883)
 * I’m setting this to “resolved” for now LMD99. I hope that’s alright with you.
   If you update WordPress to the latest version you will no longer get warnings
   about changes in core files.
 *  Thread Starter [LMD99](https://wordpress.org/support/users/lmd99/)
 * (@lmd99)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321886)
 * I’m also finding potential issues with when scanning outside the WP environment.
   The scan is coming up with this file as being “malicious”: phpmyadmin/libraries/
   Config.class.php
 * “This file is a PHP executable file and contains the word ‘eval’ (without quotes)
   and the word ‘unpack(‘ (without quotes). The eval() function along with an encoding
   function like the one mentioned are commonly used by hackers to hide their code.
   If you know about this file you can choose to ignore it to exclude it from future
   scans. “
 * Are you aware of this being a false positive? Or, is this an issue?
 *  [wfasa](https://wordpress.org/support/users/wfasa/)
 * (@wfasa)
 * [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321887)
 * Hello LMD99,
    I checked the contents of a normal “Config.class.php” in phpMyAdmin
   and yes, it’s a false positive. You can choose to ignore it in future scans. 
   I have filed this as a bug. Our internal case number is FB1715.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Viewing File differences…’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 10 replies
 * 2 participants
 * Last reply from: [wfasa](https://wordpress.org/support/users/wfasa/)
 * Last activity: [10 years, 1 month ago](https://wordpress.org/support/topic/viewing-file-differences/#post-7321887)
 * Status: resolved