I’m new to WP and trying to help a friend clean up their site that had been hacked. I’m seeing files with names like:
wp-comments-post234.php
wp-trackback.php111
571719714.php
Is there a way to tell if these files are in use and/or if they are malicious?
These files are not native WordPress files.
If you have ssh access to the server you can for example:
setup a clean install and search for these suspicious files with:
compare the whole infected WordPress directory to the clean one:
where you can play with the various
diff
parameters. Here we use-r
for recursive and-q
for brief or Output only whether files differ.use the good suggestion from @evanv to find modified files and run:
to find files modified within the last week (7 days). Use
-ctime
for file creation time and-atime
for file access time.But you should consider re-installing WordPress and go through the following Codex pages:
and check the references mentioned there.
You can use these two wordpress plugins for detecting any malicious files:
A premium service by the name Sucuri can also be helpful (offers free scan also).
Once you have cleaned up the site install WordPress File Monitor Plus plugin, as it will email you each time some file is changed. This way you will be able to quickly revert any changes that some hacker makes in the future!
bigire is correct. Those are not native WordPress files.
If it were me, I’d look at date created and date modified of the files and see if you can recognize a pattern. At a minimum, you’ll want to clear out the bad files that were added, and also look for malicious code in otherwise good files (like wp-config.php).
In order to know which files and/or code is malicious, you’re gonna either have to take a close look into WordPress as it should be in a clean install of WordPress and your friend’s theme, or you’re gonna want to find someone who specializes in web (and ideally WordPress) security to help you take a look. Depending on your level of experience with WordPress, this may be a very difficult task for you to complete. WordPress itself is actually pretty darn secure. Usually vulnerabilities are introduced through themes or plugins….fixing the problem is one thing. But finding what caused it and making sure it doesn’t happen again… that’s a very big task, and one that should be performed. I’m a DIY fan and love that you’re looking into this… but just be forewarned, if you’re not pretty darn familiar with WordPress, this is gonna take an awfully long time to fix