This section explains how to identify suspicious files (malware files) in the top directory of WordPress.


File comparison of top directory structure of malware-infected and non-infected sites

The figure below shows the file structure of the top directory of WordPress on the non-malware-infected site.

The googlee***.html file is the authentication file for Google’s access analysis, and .user.ini is the server configuration file.

The figure below shows the file structure of infected with malware.

You can see that the files circled in red are files that do not originally exist in WordPress and have been given lax file names.

If you open one of these files in a text editor, you will see that it has been obfuscated as shown below and is a typical malware file containing elliptic functions.

Are there any incorrect files in the top directory of WordPress that should have been placed there?

The standard files included in the WordPress top directory are as follows

wp-admin (folder)
wp-content (folder)
wp-includes (folder)
.htaccess is the server configuration file created when WordPress generates permalinks.
index.php
license.txt
readme.html
wp-activate.php
wp-blog-header.php
comment-submit.php
wp-config.php
wp-config-sample.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

Other than this, can I suspect that the files are malware if they are authentication files for Google’s access analysis, .user.ini, and the name of the file is a meaningless string of characters?
If the file is opened in a text file editor and obfuscated, we are more suspicious of malware infection.

In this case, we recommend that you run a malware scan once against all sites on the server.

Free] WordPress: Malware Scan & Security Plugin [Malware and Virus Detection and Removal

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. How to stop the execution of PHP programs in the wordpress security improvement upload folder
    You can improve security by preventing the execution of PHP programs in the upload folder of WordPress uploaded images and other folders that contain only static files outside of WordPress. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following...
  2. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site. Terms of Use for Generated AI This page...
  3. WordPress HTACCESS has been tampered with and access to the admin panel is no longer possible
    Recently, a type of malware has become popular in which a WordPress site is tampered with, and although the site can be displayed without problems, the administrator screen cannot be accessed. We will explain how to deal with this case. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or...
  4. If you do not know where the malware infected malware is located or if you cannot find it
    This section explains what to do if you do not know the location of infected malware or if you cannot find it. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using...
  5. Repair HTACCESS and Index.php, which is instantly tampered with again in WordPress.
    Due to many requests, we are releasing a program to repair HTACCESS and Index.php, which is instantly tampered with again in WordPress. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using...
  6. 5 security measures that can be taken in WordPress just by writing HTACCESS
    Here are some security measures that can be taken simply by including the settings in HTACCESS. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.1. it is...