What would cause core WordPress files to change?

Avatar
  • updated
  • Answered

Well this is weird.  I've had a WordPress site running without problems for two years now, and now something strange is going on.  I see some files in core WordPress that have changed, they have some different code in them.  Here are the files that have changed:

public_html/wp-admin/js/customize-nav-menus.js
public_html/wp-admin/js/customize-nav-menus.min.js
public_html/wp-admin/js/post.js
public_html/wp-admin/js/post.min.js
public_html/wp-admin/js/updates.js
public_html/wp-admin/js/updates.min.js
public_html/wp-includes/js/wp-sanitize.js
public_html/wp-includes/js/wp-sanitize.min.js
public_html/wp-includes/rest-api.php
public_html/wp-includes/script-loader.php

I have downloaded a fresh version of WordPress and have copied back the original versions of these files, but each time I have done this the files get changed back again (at about 3:00-4:00 AM) - I've done this 3 nights so far, second 2 nights after having changed all my account passwords.

Has anyone else seen this?  Has my site been hacked?  Could it be some anti-spam software doing this?  The site looks fine, no defacement, I don't see anything obvious in the access logs that might suggest that someone is running some backdoor.  It's just very suspicious to me that these files are changing like this.

Avatar
JT S.
  • Answered

Hello. These are good questions. Some ways to get good answers:

Install a WordPress security plugin with logging features such as WordFence and WP Cerber.

Follow our hacked guide.

Check your cPanel and WordPress login history.

Change all passwords

Email our Live Support for an account scan.