Why does my WordPress have file names with random numbers

I’m new to WP and trying to help a friend clean up their site that had been hacked. I’m seeing files with names like:

wp-comments-post234.php
wp-trackback.php111
571719714.php

Read More

Is there a way to tell if these files are in use and/or if they are malicious?

Related posts

Leave a Reply

3 comments

  1. These files are not native WordPress files.

    If you have ssh access to the server you can for example:

    • setup a clean install and search for these suspicious files with:

      find /path/to/clean/wordpress/ -type f -name 'wp-comments-post234.php'
      
    • compare the whole infected WordPress directory to the clean one:

      diff -r -q /path/to/clean/wordpress/ /path/to/infected/wordpress/ > diff.log
      

      where you can play with the various diff parameters. Here we use -r for recursive and -q for brief or Output only whether files differ.

    • use the good suggestion from @evanv to find modified files and run:

      find /path/to/infected/wordpress/ -type f -mtime -7
      

      to find files modified within the last week (7 days). Use -ctime for file creation time and -atime for file access time.

    But you should consider re-installing WordPress and go through the following Codex pages:

    and check the references mentioned there.

  2. bigire is correct. Those are not native WordPress files.

    If it were me, I’d look at date created and date modified of the files and see if you can recognize a pattern. At a minimum, you’ll want to clear out the bad files that were added, and also look for malicious code in otherwise good files (like wp-config.php).

    In order to know which files and/or code is malicious, you’re gonna either have to take a close look into WordPress as it should be in a clean install of WordPress and your friend’s theme, or you’re gonna want to find someone who specializes in web (and ideally WordPress) security to help you take a look. Depending on your level of experience with WordPress, this may be a very difficult task for you to complete. WordPress itself is actually pretty darn secure. Usually vulnerabilities are introduced through themes or plugins….fixing the problem is one thing. But finding what caused it and making sure it doesn’t happen again… that’s a very big task, and one that should be performed. I’m a DIY fan and love that you’re looking into this… but just be forewarned, if you’re not pretty darn familiar with WordPress, this is gonna take an awfully long time to fix