When creating a new release for a WordPress plugin on WordPress.org, there are a few things that are recommended as best practices. The underlying system used here is called SVN and this allows developers to update code and create new plugin releases. It is strongly recommended to use SVN Tags each time a new release is made. An SVN Tag demarcates all the files that should be included in that release.

For example, SG Optimizer plugin.


They have taken a bad step by creating a release, tagging it as 5.4.3, and then coming back a bit later and updating a file inside that release.

This is bad practice because it means no-one can accurately state what the exact status of each file is for that release. It means that people who upgraded to 5.4.3 before they updated that Rest.php file, will stay on 5.4.3 with an "older" version of that file, without the fix they applied later on. It's bad practice, and shouldn't be done... it's not difficult to release 5.4.4 if you spot a bug later - we do it sometimes with Shield. It's normal.

Since you upgraded later on, and our hashes are based on the original release, that's why you're seeing a difference. You can't repair it, it'll keep showing up in the scan results.

So, what you will want to do is click to ignore this file for now, and you may want to drop an email to their support and ask them not to do this again since you're relying on other services that expect use of SVN Tags to be consistent. They probably wont listen, but it's worth saying to them.

Note: You can report it to us as well. We'll clear our cache of the hashes for that plugin so this should reduce the problem for other people, too.