wordpress may have virus

rgb192 used Ask the Experts™
I noticed a many new .php files on my shared linux server that I did not create
Some php files had eval command.
I would want to delete this domain but I dont want to ruin the wordpress installation that is already there.

Which files/folders do not belong in a wordpress that has been installed in past year.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
There are two many files to guess about with WordPress.

First step I use when cleaning a site I suspect of being hacked is to run a script I wrote which simply...

1) Checks the existing installed WordPress version.

2) Downloads a pristine copy of WordPress which matches the installed version.

3) Diffs all files + quarantines (copies) core files which have been modified. Since no core file should ever be modified, any modified file has been hacked.

4) Then quarantine any file in a WordPress core directory which does not exist in the pristine copy. There should be no additional files in any core directory.

5) Then (and this is complex), look at a repository of all themes + plugins on site + do the exact same. Quarantine any changed files.

This last step can be tricky if you've let your repository of installed themes + plugins get outdated.

Another tricky point is looking at all quarantined files, as some plugins may build config files or other files as part of their installation process, so these generated files won't exist in the original zip file, so you'll have to move these back into place.

Big Tip: Sites get hacked one of two ways.

1) You've let your WordPress core or theme or plugins get out of date. This you can fix. After you clean your site, keep all your code updated.

2) Your code is all up to date, so your hosting company has dropped the ball + is likely running outdated code which is easily hacked.

So... if you were keeping your WordPress code up to date + you've been hacked because of your hosting company...

Your first step is to change hosting immediately, because if you got hacked once due to hosting, you will likely be hacked again.
Terry WoodsIT Guru
Most Valuable Expert 2011
My primary job is managing WordPress sites and their technical issues. Given your screenshot, I'm about 99.99% sure you've got malware there, as some of those files shouldn't be there and look very dodgy.

You may like to consider the site cleaning service offered by Wordfence.com - pricing is demand based so it varies, but starts at about US$179. It will take you some time to work through the steps with them, but they do a very professional job of cleaning up the site and telling you how it got hacked.
Terry WoodsIT Guru
Most Valuable Expert 2011
The only file in your root WordPress folder that you should need to keep (given your screenshot) is the wp-config.php file, unless you've got non standard customisations to the site. You should be able to delete the wp-admin and wp-includes folders (these are the "core" folders David mentioned) and reinstall them from a fresh copy of WordPress.

Cleaning a site isn't easy. You'll very likely have infected files in your plugins, and as David mentioned it's quite a process to remove and reinstall them. On top of that, you'll need to:
* reset all admin user passwords in the database, and probably editor and author user passwords too (and maybe more depending on the site)
* change the database user password on the server and in the wp-config.php file
* change the "authentication unique keys and salts" in the wp-config.php file (there's a note in the file on how to do that)

To be completely thorough, the above should be done offline and without opening WordPress, to avoid reinfection part way through. There may also be other things in the WordPress database that are compromised and open the site up for reinfection. I've found that generally I can clean a site manually without being completely thorough, but it does take quite some time.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Terry WoodsIT Guru
Most Valuable Expert 2011
If you have a .htaccess or .php.ini file in there (hidden files), you probably don't want to delete those.
Alicia St RoseOwner & Principle Developer/Designer
Those who are suggesting hiring a company to clean this up are spot on. I tried to clean up a site once, but there was a script somewhere generating devious files as soon as I deleted them. Check our Sucuri or WordFence.

w5v7....php is definitely suspect! But, there could be files hidden deep in some of those folders.
NerdsOfTechTechnology Scientist
Just to add to the great advice above, once you are ready to reinstall the clean copy of WordPress/quarantine the bad files, or use a service to clean the server, make sure your folders are immediately CHMODed correctly (then CHMOD key files after the install) per WordPress instructions; as it sounds like the attacker uploaded an attack script and is generating files from the attack script.
David FavorFractional CTO
Distinguished Expert 2018
Hiring a cleaning service may or may not be useful.

If your hosting company is running downlevel Linux Kernel code or PHP, then soon as you clean your site, you'll be hacked again.

I probably should have said your first step is to ensure your hosting environment is running all latest stable LAMP code + if not, change hosting.

No use investing masses of time + money into cleaning a site that will just get hacked again.


Thanks. I have a related question about comment of
Terry Woods.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial