How to Monitor WordPress Core File Integrity Without Breaking Your Site

Learn practical ways to monitor WordPress core file integrity so you can spot hacks early—without triggering false alarms or breaking your live site.

Why Core File Integrity Monitoring Matters

Attackers often modify or add files inside wp-admin, wp-includes, or the WordPress root to hide malware and web shells. Detecting unexpected changes early is one of the most reliable ways to catch a compromise before it escalates. Agencies like CISA specifically recommend monitoring web server files and logs as part of detecting compromised sites.Source

The challenge: you need visibility into file changes without constantly breaking your site or chasing false positives. This guide walks you through a safe, practical setup.

Understand What “Core File Integrity” Actually Is

WordPress “core files” are the files that ship with WordPress itself—everything in wp-admin, wp-includes, and specific files in the site root (like wp-settings.php, wp-login.php, etc.). WordPress.org publishes official checksums for these files so tools can verify whether they’ve been altered.Source

Monitoring integrity means:

• Checking that core files match the official checksums.
• Flagging unexpected files inside core directories.
• Reviewing changes after updates, not just during emergencies.

Use Built-In Site Health as Your Baseline

Before adding plugins or scripts, start with the tools WordPress already provides.

Step 1 – Run a Site Health Check

1. Log in to your WordPress dashboard.
2. Go to Tools ? Site Health.
3. Wait for the automatic checks to complete.

What You Should See

You’ll see a status summary (Good, Recommended improvements, or Critical issues) plus a list of tests. Site Health focuses on updates, PHP version, and configuration issues, but it’s your starting point for understanding whether the site is generally healthy and up to date.Source

Add a Safe File Integrity Checker

WordPress core does not yet include a full file integrity scanner, but the official Site Health Tools plugin extends the Site Health area with exactly that capability. It uses checksums from WordPress.org to verify core files, which is safer than ad?hoc scanners that guess what “looks suspicious.”Source

Step 2 – Install Site Health Tools

1. In your dashboard, go to Plugins ? Add New.
2. Search for “Site Health Tools” (author: Marius L. J.).
3. Click Install Now, then Activate.

Step 3 – Run a Core File Integrity Check

1. Go to Tools ? Site Health.
2. Look for the new Tools or File Integrity section added by the plugin.
3. Start the File Integrity or Core File Check scan.

What You Should See

The tool will compare your WordPress core files against the official list from WordPress.org and show:

• Files that are missing.
• Files that have been modified.
• Files that should not exist in core directories.

For a clean site, you should see a confirmation that all core files match the expected checksums, or only a few clearly benign extras (for example, a harmless error_log file created by the server). The plugin does not change any files automatically; it only reports.

Interpreting Results Without Panicking

Not every difference means you’ve been hacked. Some common, non?malicious causes of mismatches include:

• Leftover files from older WordPress versions that were never removed.
• Server?generated files like error_log or Thumbs.db.
• Manual edits to core files made by a previous developer (not recommended, but common).

Checksum tools are intentionally strict: they flag anything that doesn’t match the official core distribution, even if it’s not harmful.Source

Safe Response Checklist

• Missing or modified core files – Plan to replace them with fresh copies from the same WordPress version (see the next section).
• Unexpected files in core directories – Download and inspect them; if you don’t recognize them, treat them as suspicious.
• Log or cache files – Usually safe, but review their contents for repeated errors or strange code.

Safely Repairing Core Files

Never start deleting or overwriting files on a live site without a backup. A cautious process prevents accidental downtime.

Step 4 – Back Up Before You Touch Anything

• Ensure you have a recent full backup (database + files) via your hosting panel or backup plugin.
• Confirm you know how to restore from that backup if needed.

Step 5 – Replace Corrupted Core Files

If the integrity check reports modified or missing core files:

1. Note your current WordPress version under Dashboard ? Updates or Tools ? Site Health ? Info ? WordPress.
2. Download a fresh copy of that exact version from WordPress.org.
3. Extract the archive on your computer.
4. Using SFTP or your host’s file manager, upload only the wp-admin and wp-includes folders and core PHP files in the root, overwriting existing ones.
5. Do not overwrite wp-content or wp-config.php, as these contain your themes, plugins, and configuration.

What You Should See

After replacing files:

• Your site should load normally (clear any caching if needed).
• Re?run the file integrity check and confirm that core files now match.
• Any remaining warnings should be limited to non?core extras you’ve intentionally kept.

Set Up Ongoing File Change Monitoring

Integrity checks are most useful when they run regularly, not just after you suspect a hack. A dedicated file change monitoring plugin can alert you when files are added, modified, or deleted—especially in core directories and wp-content.

Look for a plugin that:

• Monitors both core and custom files.
• Understands WordPress updates so it doesn’t flood you with alerts during normal upgrades.
• Can send email notifications summarizing file changes.

Some file monitoring plugins are designed specifically for WordPress and can distinguish between legitimate update activity and suspicious changes, reducing false alarms.Source

Safe Alerting Strategy

• Send summary emails (daily or weekly) instead of instant alerts for every single file.
• Treat changes in wp-admin, wp-includes, and unknown PHP files in wp-content as high priority.
• Document which alerts are expected during plugin/theme updates so your team can quickly ignore noise.

Combine Integrity Monitoring with Broader Security Checks

File integrity is one layer of a broader security posture. It works best when combined with:

• Running your site over HTTPS with a valid TLS certificate.
• Keeping WordPress, plugins, and themes updated.
• Using strong passwords and two?factor authentication for admin accounts.
• Regularly scanning for known vulnerabilities and malware.

Modern security guidance also emphasizes verifying that your site is served securely and that there are no mixed?content or certificate issues, since insecure assets can be used as attack vectors.Source

When to Escalate to a Professional

Consider bringing in a security professional or your hosting provider if:

• Integrity checks keep reporting new suspicious files after you clean up.
• You find obfuscated PHP or JavaScript code in unexpected places.
• Your site is redirecting visitors, sending spam, or being flagged by browsers/search engines.

In those cases, file integrity monitoring has done its job: it surfaced a deeper compromise that needs expert remediation.

Summary: A Safe, Repeatable Workflow

• Use Tools ? Site Health regularly to keep your baseline healthy.
• Add Site Health Tools for checksum?based core file integrity checks.
• Back up before repairing or replacing any core files.
• Set up a file change monitoring plugin with sensible alerts.
• Document what “normal” changes look like for your site so you can quickly spot the abnormal.

With this workflow in place, you’ll have early warning if someone tampers with your WordPress core files—without constantly breaking your site or drowning in false positives.