Holy Moly! 430 Suspect Files in WP Core

Help, please. This site is only 1 year old. Where did all these extra files come from?

Also, since they are in WP Core and there should only be official WP Core files in there, is it OK to just mass delete these? (After backing up in case it goes blah-hooey.)

SenseofPlacePress.com

Thanks,
Maggie

  • Maggie
    • Design Lord, Child of Thor

    Thanks for quick response, "P".

    I left out that it was Defender that found them.

    So if I reinstall WP it will overwrite all the core files and get rid of all the odd ball stuff? That sounds too easy to be true. I could use easy right now. LOL!

    Here are a few names:

    404.shtml /home2/senseof5/public_html/404.shtml

    class-wp-plugin-install-list-table.php /home2/senseof5/public_html/wp-includes/includes/class-wp-plugin-install-list-table.php

    deprecated.php /home2/senseof5/public_html/wp-includes/includes/deprecated.php

    screen.php /home2/senseof5/public_html/wp-includes/includes/screen.php

    What does this all mean?

    How do things get into WP Core?

    Thanks again for help.

    Maggie

  • Jack Alltrade
    • Just A Community Member

    Download and look at a few in a text editor. If they are all jscript or encrypted and they all look roughly the same - you have been infected with a common bit of self-replicating malware.

    Download a fresh copy of wordpress and all unedited plugins and themes.

    Delete the entire WP core system but leave wp-content that you can't replace with a clean copy (media files or child theme for example).

    Upload clean files and run a new defender scan. It will help you to clean out the remaining infections. Or you can ftp into the media library and delete any non-media files (.php) for example.

  • Jaxom
    • Dragon Rider

    Hi Maggie
    If you have FTP access delete wp-admin folder and wp-includes folder and reinstall from a fresh version of WordPress.
    Then recheck with defender.
    Also install an index.php file in each folder that is empty except for this line at the top
    <?php // Silence is golden

    That should solve any future issues.

    Jaxom

  • Maggie
    • Design Lord, Child of Thor

    Hi Jack, Jaxom and Josh.

    Thanks for the detailed advice. I see now that I can't just reload WP as it would wipe out ALL the files and I'd lose the site information. That would be a big bummer.

    I do have FTP access, so I'll take your advice and try this tonight.

    Josh, I guess I'm afraid to mess it up if I automatically "fix" everything with Defender. Especially if it seems I've got a virus-hacking thing going on, I'd like to check out the server files and see if I notice anything obvious. And believe, me, it needs to be obvious like an oddball directory for me to notice it.

    Thanks everyone. I will report back tomorrow on my adventure in fixing this.

    (You all don't by chance know how to fix breaks on a Toyota, do you? That's my other pressing repair problem. LOL!)

    Maggie

  • Kasia Swiderska
    • Support nomad

    Hello Maggie,

    I've moved your thread to support forum in case we will need to take a closer look on your site. Right now I would like to add few things.
    Files like that

    404.shtml public_html/404.shtml

    are server files to handle different pages for errors (so server has "customized" own 404 error page, not the default blank). There can be more of those like 500. You can check with hosting provider, but they can usually be just ignored.

    Before you delete any files and replace them with new, fresh downloaded from wp.org repository take a backup of those files you are deleting, so then you can compare those with fresh files. You will see what is difference there. That will help to establish if your site was hacked.

    Make sure your themes and plugins are updated.

    Let us know how it goes.

    kind regards,
    Kasia

  • Vaughan
    • Support/SLS MockingJay

    Hey Maggie,

    Could you provide a list of all the files listed? or maybe granting support access we can see.

    But, from what you mentioned so far, all those files listed are legitimate core file names, or server/host generated files.

    https://developer.wordpress.org/reference/classes/wp_plugin_install_list_table/

    Though, you say they're in wp-includes/includes/

    They should be in /wp-admin/includes/

    Not sure what's going on there. It could be someone did a manual update, but uploaded files to the wrong folder for some reason.

    But if we could take a closer look?

    Can you send your details via email direct to contact@wpmudev.org

    Mark for attn: Vaughan
    Include a ref URL to this thread.

    Please include the following details;
    - Site login details (super-admin if on multisite)
    - FTP login details so I can take a look at the theme/plugin files.
    - CPanel Credentials so I can look at the DNS settings & DB with Phpmyadmin

    Thanks

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.