Shield Security Unrecognised Files: wp-tinymce.js.gz

@Paul and fellow Shield Security users…

I’ve started getting a message about unrecognised file wp-includes/js/tinymce/wp-tinymce.js.gz in Shield.

This file doesn’t exist in WordPress but I’m just wondering why I’ve suddenly started getting warnings about it? I know I can “ignore” it, but that’s not the point really.

CP 1.1.2, Shield 8.7.0.

Yes, same for me. I deleted it but not sure why it is even there.

1 Like

I ran into the same issue yesterday on one of my sites and thought it had crept in on the server but then realized it’s included in CP.

Could it have carried over from development unintentionally?

1 Like

Seems like a possibility, but the file has been there since v1.0.0 of CP so it makes you wonder why Shield has apparently only just detected it.

That’s a good point/question.

Thanks for reporting this… you’re right, it’s weird that suddenly it should start reporting this.

I believe this has started happening after a change we made to stop including .gz .zip files in the checksums.

I’ll have a think about the best way to handle this bug, sorry about the trouble with that.


Thanks Paul.

1 Like

Thnaks @Paul

Still wondering why it is there at all. Perhaps @james could tell us if it is necessary (since I deleted it on a site!).

I see a commit here in WP:

1 Like

That’s a good find. So wp-tinymce.js.gz does exist in WP 4.9.13 and also WP 5.0 but wp-tinymce.js does not.

But the reverse is true from WP 5.1 onwards.

So Oz, looks like you need to put it back again :slight_smile:

1 Like

Hmmm. OK. Now, which site was it?.. :grimacing:

1 Like

A bit late, but here is how to find the answer to this question.

  1. Go to and search for wp-tinymce.js.gz
  2. Land at
  3. Click the line number in the matching file and land at
  4. According to this code, the .gz file is used to serve a pre-compressed version of some JavaScript files related to TinyMCE. Deleting it won’t cause any issues because there is a fallback method below that line, which is used if the .gz file doesn’t exist.

As far as why it’s done this way (and why this change was undone in WP), it looks like it’s a performance enhancement. You’d have to look back at the WP commit history and the associated ticket(s) for more details.