Modified WordPress Core Files

There are few things WordPress can’t do. Leveraging themes, plugins, and the WordPress’ native action and filter hooks, you can extend and supercharge your WordPress website. However, there is one thing you shouldn’t do: Never Modify WordPress Core files.


Why WordPress Core Should Never Be Modified

WordPress Core files are the PHP and related source files that contain the main functionality of WordPress. Core files are not intended to be modified in ANY way. Modifying core files can introduce security vulnerabilities, incompatibilities, and other issues with the normal operation of WordPress.

Modifying WordPress Core is outside of the scope of WP Engine support. As a result, we do not support WP Engine platform functionality for WordPress websites with modified core files.

Additionally, because WP Engine automatically updates WordPress on your websites, our system will automatically revert modified WordPress Core files in the update process. Learn more about automatic core updates.


Modified WordPress Core Files are Not Supported

When our system detects that you are trying to deploy or copy an environment which contains modified WordPress Core files, our platform will prevent the action. Instead, you may see one of the following errors:

We have detected that your WordPress Core files have been modified. We do not allow modified core to be copied between installs.

The error may also indicate which WordPress Core file(s) appear to be modified, to help you identify and fix the issue. For example:

wp core verify-checksums Warning: File doesn’t verify against checksum: wp-config-sample.php: WordPress install doesn’t verify against checksums.


Fixing Modified Core Files

There are a few different ways to resolve modified core files. Before we begin, however, you should ensure you have taken a backup of your site. While our platform automatically takes nightly backups, we recommend taking a backup before attempting to solve a modified core issue, just in case you need to rollback your changes.

(Option 1) Reinstall WordPress Core via the WP-Admin
(Option 2) Verify and reinstall WordPress Core via WP CLI


Reinstall/Update WordPress Core via WP-Admin

The easiest option for any experience level is to visit the update screen of your WordPress Admin Dashboard. You will need to be an Administrator on the website in order to update WordPress.

  1. Login to the wp-admin dashboard of your WordPress site
  2. Click Dashboard
  3. Click Updates

You can also navigate to your domain, and add the following path to the end:

/wp-admin/update-core.php

  1. Click Check Again to force WordPress to look for an update, if no update shows as available
  2. Click the Re-install Now button to install a fresh, unmodified version of your WordPress core files



Verify and Reinstall WordPress Core via WP CLI

While this option is a little more complex, if you’re attempting to determine exactly what was modified this will give you more information. Before proceeding you will need SSH Gateway access. Learn more about SSH Gateway here.

Verify checksums will compare your WordPress files against WordPress.org’s checksums. A checksum is a digital fingerprint of a set of files. If any file in your WordPress core has been modified, the digital fingerprint of your core files will not match the WordPress.org’s checksum.

  1. Connect to your environment using SSH Gateway
  2. Change directory into the appropriate root directory:
    • Replace environment with your unique environment name
    • cd sites/environment
  3. Verify the environment’s WordPress Core files against checksums:
    • wp core verify-checksums
      • If you receive the following success message, your Core files are not modified:
        • Success: WordPress install verifies against checksums.
      • Below is an example failure message with information about what files have been modified and are causing a failure:
        • Warning: File doesn't verify against checksum: wp-config-sample.php Error: WordPress install doesn't verify against checksums.
        • Regardless of what file is returned, this still constitutes modified Core files and poses a security risk to your site. It will need to be corrected.
  4. Reinstall WordPress Core
    • Reinstall the current version of WordPress Core:
      • wp core download --force
    • Or, install the latest version of WordPress Core files:
      • wp core update

While debugging modified core files is outside of the scope of WP Engine support, our support team is happy to help you reinstall WordPress core if you are having trouble.

If you believe your site was hacked and your core files modified, reach out to WP Engine Support for assistance.


NEXT STEP: Learn about the WP Engine WordPress Core update process

Still need help? Contact support!

We offer support 24 hours a day, 7 days a week, 365 days a year. Log in to your account to get expert one-on-one help.

The best in WordPress hosting.

See why more customers prefer WP Engine over the competition.