What are allowed files in the WordPress core and core directories?
When the Website File Changes Monitor plugin scans your website for file changes, it compares your website’s WordPress core files to the files on the official WordPress repository. The plugin uses this comparison to alert you if:
- any of the WordPress core files on your website have been tampered with
- there are files in your website’s WordPress core that are not part of the official WordPress core
To learn more about the plugin’s scanning process read the document how Website File Changes Monitor identifies file changess on WordPress websites. Below is a screenshot of detected non-WordPress core files in the core of a WordPress website.
As a security best practice, the plugin assumes that a non-WordPress core file in the website root directory, or in the core sub directories is a malicious file. However, some websites might have legit non-WordPress core files as part of their website. In such case, these files has to be added as allowed files.
This post explains what non-WordPress core files are, why the plugin notifies you of them, and how you can configure the plugin to handle these files as legitimate files.
What is the WordPress core?
WordPress is a web application and it is made up of a number of files. It consists of the following:
- the files in your website’s root directory
- the files in the wp-admin and wp-includes sub directories
Anything else on the website is considered as non-WordPress core. This includes the installed plugins, themes and all the files that you upload on your website, such as images, PDF documents, and audio files.
Plugins, themes and user uploaded files are saved in specific directories on your WordPress website. As a security precaution, any other files saved outside these directories are considered as malicious by the plugin.
For example, if during a file integrity scan the plugin identifies a file info.php in your website root directory, it will alert you about it each time it identifies it on the website. This is a security precaution because in the WordPress core there is no info.php file. Therefore before marking it as read and adding it as allowed file, you should check what it is. If it is legit then you should add it as allowed file in the WordPress core.
What are allowed files?
Allowed files are non-WordPress core files (such as those from a custom web application) that the plugin knows of and are saved in your website’s WordPress core (the website’s root directory and the wp-admin and wp-content subdirectories).
How do you add a file (or all files in a directory) to the list of allowed files?
There are two ways of adding a file, or all files in a directory as allowed files in the Website File Changes Monitor plugin.
Via the plugin settings
Navigate to the plugin settings and specify the filename and extension of the file in the setting Allow these files. You can also add all the files in a directory as allowed files by specifying the path of that directory in the Allow all the files in these directories setting. Both settings are highlighted in the below screenshot.
To remove a file or a directory from the list, simply select it and click Remove.
Via the file changes notification
In the plugin’s interface, you can notice 4 icons next to each reported file change. When you mark a file change as read by clicking the Mark as read icon, the file will be added as an allowed file. Therefore the plugin will consider that file as part of your website’s WordPress core. You can also click the Add as allowed directory icon to add all the files in that directory as allowed files.
Refer to what to do with reported file changes for a detailed explanation of what each icon means, and how you can manage the reported file changes.