Suspicious Files in WordPress Hosting: What to Check

What this problem is

You find unknown PHP files, odd folders, or recently modified files you did not change.

Why it happens

• Malware/backdoor dropped into web root
• Compromised plugin/theme added new files
• Old staging/backup copies left publicly accessible

Prerequisites

• FTP/File Manager access
• Clean WordPress and plugin/theme packages for comparison

Diagnosis

• Check file modification times for unusual bursts.
• Compare core folders (wp-admin, wp-includes) to clean packages.
• Search for obfuscated code patterns.

Detailed steps

Step 1) Quarantine suspicious files

Move them to a safe non-public folder or rename with .disabled (do not execute).

Step 2) Replace core and reinstall plugins/themes

Use clean sources. Remove nulled/pirated plugins and themes.

Step 3) Review wp-config.php and .htaccess

Check for injected includes, redirects, or base64 eval patterns.

Expected results

• Unknown files removed and site runs from clean code

What to do if it fails

• Restore from a clean backup and rotate all credentials

Best practices

• Disable file editing, lock down permissions, and run periodic malware scans