Modified WordPress Core Files
There are few things WordPress can’t do. Leveraging themes, plugins, and the WordPress’ native action and filter hooks, you can extend and supercharge your WordPress website. However, there is one thing you shouldn’t do: Never Modify WordPress Core files.
Why WordPress Core Should Never Be Modified
WordPress Core files are the PHP and related source files that contain the main functionality of WordPress. Core files are not intended to be modified in ANY way. Modifying core files can introduce security vulnerabilities, incompatibilities, and other issues with the normal operation of WordPress.
Modifying WordPress Core is outside of the scope of WP Engine support. As a result, we do not support WP Engine platform functionality for WordPress websites with modified core files.
Additionally, because WP Engine automatically updates WordPress on your websites, our system will automatically revert modified WordPress Core files in the update process. Learn more about automatic core updates.
Modified WordPress Core Files are Not Supported
When our system detects that you are trying to deploy or copy an environment which contains modified WordPress Core files, our platform will prevent the action. Instead, you may see one of the following errors:
We have detected that your WordPress Core files have been modified. We do not allow modified core to be copied between installs.
The error may also indicate which WordPress Core file(s) appear to be modified, to help you identify and fix the issue. For example:
wp core verify-checksums Warning: File doesn't verify against checksum: wp-config-sample.php: WordPress install doesn't verify against checksums.
Fixing Modified Core Files
There are a few different ways to resolve modified core files. Before we begin, however, you should ensure you have taken a backup of your site. While our platform automatically takes nightly backups, we recommend taking a backup before attempting to solve a modified core issue, just in case you need to rollback your changes.
(Option 1) Reinstall WordPress Core via the WP-Admin
(Option 2) Verify and reinstall WordPress Core via WP CLI
Reinstall/Update WordPress Core via WP-Admin
The easiest option for any experience level is to visit the update screen of your WordPress Admin Dashboard. You will need to be an Administrator on the website in order to update WordPress.
- Login to the wp-admin dashboard of your WordPress site
- Click Dashboard
- Click Updates
You can also navigate to your domain, and add the following path to the end:
/wp-admin/update-core.php
- Click Check Again to force WordPress to look for an update, if no update shows as available
- Click the Re-install Now button to install a fresh, unmodified version of your WordPress core files
Verify and Reinstall WordPress Core via WP CLI
While this option is a little more complex, if you’re attempting to determine exactly what was modified this will give you more information. Before proceeding you will need SSH Gateway access. Learn more about SSH Gateway here.
Verify checksums will compare your WordPress files against WordPress.org’s checksums. A checksum is a digital fingerprint of a set of files. If any file in your WordPress core has been modified, the digital fingerprint of your core files will not match the WordPress.org’s checksum.
- Connect to your environment using SSH Gateway
- Change directory into the appropriate root directory:
- Replace
environment
with your unique environment name cd sites/environment
- Replace
- Verify the environment’s WordPress Core files against checksums:
wp core verify-checksums
- If you receive the following success message, your Core files are not modified:
Success:
WordPress install verifies against checksums.
- Below is an example failure message with information about what files have been modified and are causing a failure:
Warning: File doesn't verify against checksum: wp-config-sample.php Error: WordPress install doesn't verify against checksums.
- Regardless of what file is returned, this still constitutes modified Core files and poses a security risk to your site. It will need to be corrected.
- If you receive the following success message, your Core files are not modified:
- Reinstall WordPress Core
- Reinstall the current version of WordPress Core:
wp core download --force
- Or, install the latest version of WordPress Core files:
wp core update
- Reinstall the current version of WordPress Core:
While debugging modified core files is outside of the scope of WP Engine support, our support team is happy to help you reinstall WordPress core if you are having trouble.
If you believe your site was hacked and your core files modified, reach out to WP Engine Support for assistance.
NEXT STEP: Learn about the WP Engine WordPress core update process