How does the plugin detect file changes on WordPress?

You are here:

The Website File Changes Monitor plugin employs two different types of file integrity checking methods. This article explains how the scanning process and both these methods work.

The WordPress file integrity scan

Before we explain how the different scanning methods used to work, we have to explain how the scan itself is structured.

The WordPress website directories which the plugin will scan for file changes

The file integrity scan is split in these sections:

  • WordPress core files
    • This is what makes up the WordPress website / web application.
    • Path(s): website root, wp-admin and wp-includes subdirectories.
  • Themes directory
    • This is the directory in which the installed theme(s) files are saved.
    • Path: /wp-content/themes/
  • Plugins directory
    • This is the directory in which the installed plugin(s) files are saved.
    • Path: /wp-content/plugins/
  • Upload directory
    • This is the directory in which user uploaded files, plugins and themes working file-based data are saved. Examples of user uploaded files are images, videos and other media files. Examples of plugins and themes file-based data are log files, images, xml files etc.
    • Path: /wp-content/uploads/
  • wp-content directory
    • The themes, plugins and uploads directories are subdirectories in this directory. However, some third party software can also save data directly in this directory, so this directory has to be scanned as well.

The two different file integrity scan types

Comparing the website’s WordPress core to the official WordPress repository

This only applies to the WordPress core files and directories. These are the website root directory, and the wp-admin and wp-includes subdirectories.

This type of scan is enabled by default and can be disabled from the plugin settings. When disabled, the WordPress core files are then scanned by the legacy scan method mentioned below.

When a file integrity scan runs, and this scanning method is enabled, the plugin does the following:

  1. It generates a checksum (fingerprint) of all the files in the website root directory and in the wp-admin and wp-includes directory.
  2. It compares them to the list of checksums of the official WordPress repository.

If there are any files in these directories that are not part of the official WordPress core, or there are modified or missing WordPress core files, the plugin reports such changes.

The plugin identified a number of modified WordPress core files

IMPORTANT: As a security precaution, the plugin keeps reporting non-WordPress core files in WordPress core in each scan, unless you add them to the list of allowed files in WordPress core.

Comparing file changes in between scans

This scan type applies to all files on the website. If the scan method above is enabled, the WordPress core files are not scanned using this method. If the scan method above is disabled, then the WordPress core files are also scanned using this method.

When a file integrity scan runs, the plugin does the following:

  1. The first time a scan runs, the plugin only generates a checksum (fingerprint) of all the files on the website.
  2. During subsequent scans, the plugin compares the list of files checksums to those generated during the previous scan.

When the plugin plugin identifies any differences, such as new files, deleted files or modified files, it reports them.

For a more detailed technical explanation read how file integrity monitoring for WordPress works.

How to address the reported file changes?

Once the plugin reports file changes, there are a number of things you can do. You can mark a change as read, add a file as allowed file etc. Refer to How to address the file changes on WordPress websites reported by the plugin for a more detailed explanation of what each action does.