BugWP logo BugWP
Back to Community
Home / Community / General

Understanding and Resolving Sucuri Security Core Integrity Check Alerts

29 threads Sep 16, 2025

Content

If you use the Sucuri Security plugin, you've likely encountered its Core Integrity Check feature. This powerful tool scans your WordPress core files (/, /wp-admin, and /wp-includes) for changes, alerting you to files that have been added, modified, or removed. While this is a critical line of defense against hacking, it can sometimes generate confusing alerts or false positives. This guide will help you understand why these alerts happen and how to resolve them.

What is the Core Integrity Check?

The Core Integrity Check is a server-side scanner that compares your site's core WordPress files against the official WordPress.org distribution. Its purpose is to detect unauthorized changes that could indicate a security compromise. It's important to note that this is different from the SiteCheck malware scan, which only checks publicly rendered code and cannot scan your server's file system.

Common Reasons for Integrity Check Alerts

Not every alert signifies an attack. Here are the most common benign reasons for these notifications:

  • Leftover Files from Updates: The WordPress updater doesn't always clean up files from previous versions. You might get alerts for old CSS or JS files that were officially removed in a newer WordPress release but are still present on your server.
  • Server-Generated Files: Files created by your hosting environment, such as .ftpquota, php_errorlog, or php_mail.log, are not part of the official WordPress core and will be flagged as "added."
  • Language Files: Changes to .mo and .po files in the wp-content/languages/ directory are frequently reported. These can sometimes be out of sync with the official WordPress API data.
  • Full Site Restorations: If you recently restored your entire site via FTP, the checksum and modification dates of all files will have changed, triggering a massive alert for every core file.
  • Plugin/Theme Activity: Some legitimate plugins or themes (like Wordfence, which creates a firewall file) may write to core directories, triggering an alert.

How to Troubleshoot and Resolve Alerts

1. Analyze the Alert

First, don't panic. Look at the details in the email or the WordPress Integrity panel on the Sucuri Dashboard. Check the file path, status (added/modified/removed), and modification date. A file modified years ago is less likely to be an active threat than one modified minutes ago.

2. Verify the File's Legitimacy

For any suspicious file, especially those with recent timestamps, you should investigate. If you are unsure, you can compare the file's code to a fresh WordPress download or use a malware scanner. Files like phpinfo.php are often unnecessary and pose a security risk by revealing server information, so consider deleting them.

3. Marking False Positives as "Fixed"

For files you know are safe (e.g., server logs, leftover update files, language files), you can instruct the plugin to ignore them in future scans. This is the primary way to stop repeated alerts for the same file.

  1. Go to Sucuri Security > Dashboard.
  2. Find the WordPress Integrity panel. (Note: It may take a moment to load).
  3. In the table, check the box next to the file(s) you want to ignore.
  4. From the ACTION dropdown menu, select Mark as Fixed.
  5. Check the box to confirm you understand this action cannot be undone.
  6. Click Submit.

Important: The "Ignore Scanning" settings panel is for a different purpose and does not affect Core Integrity Checks. You must use the "Mark as Fixed" action within the integrity panel itself.

4. Check Alert Settings

Ensure you have email alerts for integrity checks enabled if you want to receive them. Navigate to Sucuri Security > Settings > Alerts and confirm the option Receive email alerts for core integrity checks is checked.

When an Alert is a Real Problem

While many alerts are false positives, you must take certain findings seriously. Be highly suspicious of:

  • Files with recent timestamps added to core directories when you made no changes.
  • Filenames that are misspellings of common files (e.g., .htaccesss instead of .htaccess).
  • Unknown .php files in your root or /wp-admin/ directory (e.g., fantversion.php, temp1-1.php).

If you find such files, you should immediately investigate for a compromise. A single malicious file often means there are more. It is recommended to follow a complete WordPress hack repair guide.

What If "Mark as Fixed" Fails?

If you try to mark a file as fixed but see a message like "0 out of 1 files were successfully processed," it is usually a file permissions issue. The plugin needs to write to a cache file in /wp-content/uploads/sucuri/sucuri-integrity.php. Check that the sucuri directory exists and that your web server has write permissions for it.

By understanding how the Core Integrity Check works, you can effectively use it to protect your site without being overwhelmed by false alarms. It's a valuable tool for maintaining your WordPress site's security posture.

Related Support Threads Support