This section explains how to identify suspicious files (malware files) in the top directory of WordPress.
File comparison of top directory structure of malware-infected and non-infected sites
The figure below shows the file structure of the top directory of WordPress on the non-malware-infected site.
The googlee***.html file is the authentication file for Google’s access analysis, and .user.ini is the server configuration file.
The figure below shows the file structure of infected with malware.
You can see that the files circled in red are files that do not originally exist in WordPress and have been given lax file names.
If you open one of these files in a text editor, you will see that it has been obfuscated as shown below and is a typical malware file containing elliptic functions.
Are there any incorrect files in the top directory of WordPress that should have been placed there?
The standard files included in the WordPress top directory are as follows
wp-admin (folder)
wp-content (folder)
wp-includes (folder)
.htaccess is the server configuration file created when WordPress generates permalinks.
index.php
license.txt
readme.html
wp-activate.php
wp-blog-header.php
comment-submit.php
wp-config.php
wp-config-sample.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
Other than this, can I suspect that the files are malware if they are authentication files for Google’s access analysis, .user.ini, and the name of the file is a meaningless string of characters?
If the file is opened in a text file editor and obfuscated, we are more suspicious of malware infection.
In this case, we recommend that you run a malware scan once against all sites on the server.
Free] WordPress: Malware Scan & Security Plugin [Malware and Virus Detection and Removal