How to address the file changes the plugin finds on your WordPress website?
You have installed the Website File Changes Monitor plugin on your WordPress website. After the file changes scan it alerted you of a number of file changes. What does this mean and what should you do with such information?
This post will help you make sense of such information and explains what options you have, and how to manage such data.
Why are there file changes on your WordPress website?
On a typical WordPress website, you should only expect file changes when:
- the WordPress core is updated
- a theme or plugin is installed, updated or deleted
- A user uploads or deletes a file from the uploads directory (such as an image, a document or any other type of non-executable file)
Other than that, all other file changes should be considered as suspicious and should be checked. For more information on this subject read file integrity monitoring for WordPress.
What can you do with the reported file changes?
The plugin can detect and reports the following types of file changes on your WordPress website:
- A file has been added to your website
- An existing file has been modified or deleted from your website
- A non-WordPress core file is in the WordPress core
- A WordPress core file has been modified or deleted
When the file reports a file change, after confirming it you should remove the notification from the UI by marking it as red, or by adding a file to the list of allowed files in WordPress core.
There are a few actions you can choose from. The below is a detailed explanation of each action:
Mark as read: when you mark a file change as read it means that you know about this change and that is the new normal. So, unless that file changes again or is deleted, from now onward that is the latest version of the file. If you mark a non-WordPress core file change as read, the file will also be added to the list of allowed files in WordPress core. This means that the file is now considered as part of the WordPress core of your website.
Add as allowed file: when the plugin identifies a non-WordPress core file in the WordPress core, it will alert you. The plugin will keep on alerting you of this file with every subsequent scan, since typically non-WordPress core files are save in specific sub directories of the wp-content directory. To stop the plugin from alerting you about it, add it to the list of allowed files, as explained in What are allowed files in WordPress core.
Add as allowed directory: when the plugin identifies non-WordPress core files in the WordPress core, it will alert you. The plugin keeps on alerting you of these file with every subsequent scans, since typically non-WordPress core files are saved in specific sub directories of the wp-content directory. If you want all the files in a directory to be considered as part of the WordPress core of your WordPress website, add that directory as an allowed directory in WordPress core.
Exclude file: exclude this file from future scans. Therefore if this file is changed or deleted, the plugin won’t alert you about it. Read how to exclude files from WordPress file integrity scans for more information.
Exclude directory: This works as the option Exclude file, with a difference that it applies to all the files in the excluded directory.