About WordPress Core Files
There are very few things WordPress can’t do. Leveraging themes, plugins, and the WordPress’ native action and filter hooks, you can extend and supercharge your WordPress website. However, there is one thing you shouldn’t do: Do Not Modify WordPress core files.
WordPress core files are the PHP and related source files that contain the main functionality of WordPress. Core files are not intended to be modified in ANY way. Modifying core files can introduce security vulnerabilities, incompatibilities, and other issues with the normal operation of WordPress.
Modifying WordPress core files is outside of the scope of WP Engine support. As a result, we do not support WP Engine platform functionality for WordPress websites with modified core files. Additionally, because WP Engine automatically updates WordPress on your websites, our system will automatically revert modified WordPress core files in the update process. Learn more about automatic core updates.
Modified WordPress Core Files are not Supported
When our system detects that you are trying to deploy or copy an environment which contains modified WordPress core files, our platform will prevent the action. Instead, you will see an error similar to this:
The error will indicate which WordPress core file(s) appear to be modified, to help you identify and fix the issue.
Fixing Modified Core Files
There are a few different ways to resolve modified core files. Before we begin, however, you should ensure you have taken a backup of your site. While our platform automatically takes nightly backups, we recommend taking a backup before attempting to solve a modified core issue just in case you need to rollback your changes.
Option 1: Re-install/Update WordPress Core via the WP-Admin
The easiest option (for any experience level) is to visit the update screen of your WordPress Admin Dashboard. You will need to be an Administrator on the website in order to update WordPress. Navigate to your domain, and add the following path to the end:
/wp-admin/update-core.php
If you’re not already logged into your site, you will be prompted to sign in, and then you will land on the Core Update screen. Here you can force WordPress to check for an update if no update is available, or simply click the Re-install Now button. This will install a fresh, unmodified version of your WordPress core files.
Option 2: WP-CLI Core Verify and Update
While this option is a little more complex, if you’re attempting to determine exactly what was modified this will give you more information. Before proceeding you will need Advanced User access. Learn more about Advanced access, and contact Support to request access.
You already have advanced access if you can see the Advanced section from the left-hand navigation on the Overview page. The advanced page in portal gives you access to WP-CLI for your environment as well as some other advanced tools.
Using WP-CLI with Advanced Tools
In the black WP-CLI terminal type the following command for information why your WordPress core is modified:
> wp core verify-checksums
Verify checksums will compare your WordPress files against WordPress.org’s checksums. A checksum is a digital fingerprint of a set of files. If any file in your WordPress core has been modified, the digital fingerprint of your core files will not match the WordPress.org’s checksum.
If you receive the following success message, your core files are not modified and you should be able to proceed with your copy.
> wp core verify-checksums Success: WordPress install verifies against checksums.
Below is an example failure message with information about what files have been modified and are causing a failure:
> wp core verify-checksums Warning: File doesn't verify against checksum: wp-config-sample.php Error: WordPress install doesn't verify against checksums.
Regardless of what file is returned as the reason for the failed checksum verification, this still constitutes modified core files, and poses a security risk to your site. You should investigate changes to those files. If you believe that your site has been hacked, please contact support and request to have your site scanned for security issues.
Redownload WordPress Core with WP-CLI
You can also update your WordPress core via WP-CLI by using the following command. This will force WordPress to re-download the current version installed on your website:
> wp core download --force
If you want to update your WordPress core to the latest version instead, you can also use the following command. However, remember that if you do not have a pending update, your core files will not be re-installed:
> wp core update
While debugging modified core files is outside of the scope of WP Engine support, our support team is happy to help you reinstall WordPress core if you are having trouble.