WordPress Security: What to Do When You Find Suspicious Files

Finding unknown files (especially if they are executable scripts like PHP files and/or configuration files, such as php.ini) within WordPress directories can be a sign of malware infection, an anomalous configuration, or—more likely—a Remote Code Execution (RCE) attack by a malicious external actor who has likely found a way to write arbitrary files within the site’s directories.

In this article, you will find a comprehensive summary of the main checks and actions to take to verify whether the presence of “suspicious” files in WordPress directories indicates a site compromise. The goal of these steps is to detect anomalies, identify possible intrusions, and secure the WordPress installation to prevent further attacks.

1. Check the content of suspicious php.ini files

Normally, WordPress does not create or require php.ini files in its directories, so it is crucial to investigate immediately. The first step is to open the files and check for suspicious code using the following commands:

cat /path/to/file/php.ini

or

less /path/to/file/php.ini

Suspicious indicators to look for:

Changes to PHP execution and upload limits, such as:

max_execution_time = 10000

memory_limit = 512M

upload_max_filesize = 100M

These excessively high values could indicate an attempt to execute heavy scripts or upload malicious files.

Suspicious PHP file inclusion directives, such as:

auto_prepend_file = "/tmp/malware.php"

This could allow a malicious PHP file to execute before any WordPress script.

Suspiciously enabled or disabled PHP functions, for example:

disable_functions = ""

If the disable_functions directive is empty, it means that all PHP functions are enabled, making the site vulnerable.

2. Locate unknown files

If you have access via SSH or Terminal, you can use the following command to search for all "suspicious" files (such as php.ini, but it applies to any file) within a WordPress installation:

find /path/to/wordpress-directory -type f -name "php.ini"

If php.ini files are found in directories such as:

• /wp-content/uploads/
• /wp-content/plugins/
• /wp-includes/
• /wp-admin/

Then it is very likely that these are malicious files injected by an attack.

3. Check file modification dates

Most legitimate files should have a creation date consistent with the installation date of the server or WordPress. If the "suspicious" files were recently created and/or modified, they might have been written by a malicious actor (a malware or, more likely, an external attacker exploiting RCE vulnerabilities).

ls -lt /path/to/wordpress-directory | grep php.ini

Recent modifications without any performed updates are a further sign of suspicious activity.

4. Check recently modified PHP files

This command allows you to efficiently search for all .php files modified in the last 7 days:

find /path/to/wordpress-directory -type f -name "*.php" -mtime -7

The presence of recently modified PHP files in directories such as uploads or wp-includes increases the likelihood that an intrusion or external attack has occurred.

5. Analyze the site with a security plugin

If you suspect an infection, it is recommended to use a dedicated WordPress security plugin to scan the site for suspicious files:

Recommended Plugins

• Wordfence Security: Scans the site and identifies suspicious files.
• iThemes Security: Helps strengthen overall security.
• MalCare Security: Advanced malware scanner.

Once the plugin is installed, you will need to perform a scan, which can be activated from the plugin’s page directly within the WordPress admin panel, allowing you to analyze the results and assess the situation.

6. Remove suspicious files

As soon as you confirm that the "suspicious" files are not legitimate, it is crucial to delete them as soon as possible after creating a backup:

rm /path/to/wordpress-directory/php.ini

7. Secure WordPress for the future

After removing any malicious files, it is essential to take appropriate precautions to prevent the situation from recurring.

To do this, it is strongly recommended to carry out the following hardening activities:

Update WordPress, plugins, and themes (this can be done via the WordPress admin panel).

Set file permissions correctly by running the following commands via SSH or terminal:

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 400 wp-config.php
chmod 444 .htaccess

Disable file modification via the backend by ensuring the following commands are present (or adding them) in the wp-config.php file:

define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

Block PHP execution in /uploads/ by adding an .htaccess file inside /wp-content/uploads/ with the following content:

<FilesMatch ".(php|php.)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Scan the site regularly using Wordfence and/or other security plugins.

8. Analyzing Access Logs

One of the most effective ways to understand how and when the site was compromised is by reviewing the server access logs. The access logs and error logs record every HTTP request made to the site, including exploit attempts, injections, and malicious file uploads.

How to Check Access Logs

If you have server access, you can analyze the logs using these commands:

Apache Access Log (if the site runs on Apache):
tail -f /var/log/apache2/access.log

Apache Error Log:
tail -f /var/log/apache2/error.log

Nginx Access Log:
tail -f /var/log/nginx/access.log

Nginx Error Log:
tail -f /var/log/nginx/error.log

If the hosting provider uses a control panel such as cPanel or Plesk, logs can be found in the "Logs" or "Server Logs" section.

What to Look for in the Logs

Use grep to filter suspicious activities, for example:

Search for suspicious PHP file requests:
grep "php" /var/log/apache2/access.log

If you find PHP file requests in /wp-content/uploads/ or other unusual directories, they could be backdoors uploaded by hackers.

Search for suspicious POST requests (possible RCE exploit attempts or malware uploads):
grep "POST" /var/log/apache2/access.log

An attacker might have exploited a vulnerable plugin to execute remote code.

Search for requests with strange characters (SQL Injection or RCE attempts):
grep -E '(\?|\&)(cmd|exec|system|passthru|shell_exec|base64_encode|eval)(' /var/log/apache2/access.log

If you find URLs with PHP functions for code execution (eval(), shell_exec(), base64_decode()), your site was likely targeted by an attack.

Search for requests from a suspicious IP:
grep "SUSPICIOUS_IP" /var/log/apache2/access.log

If multiple requests from the same IP attempt to access suspicious PHP files, block it with:
sudo iptables -A INPUT -s SUSPICIOUS_IP -j DROP

Blocking Attackers' Access

If you identify suspicious IPs, you can block them by adding the following lines inside the .htaccess file (for Apache):

<RequireAll>
Require all granted
Require not ip 192.168.1.100
Require not ip 203.0.113.45
</RequireAll>

For nginx, add the following lines inside the nginx.conf file:

deny 192.168.1.100;
deny 203.0.113.45;

IMPORTANT: After analyzing the logs, correlate suspicious accesses with the creation date and time of suspicious files to determine exactly how the attacker gained entry.

9. Performing Regular Backups

One of the most important aspects of protecting a WordPress site is maintaining regular backups of files and the database. If the site is compromised, a recent backup allows for a quick restoration without data loss. It is recommended to set up automatic and periodic backups, preferably on a remote server or cloud service.

Recommended Backup Plugins

• UpdraftPlus: One of the most popular automatic backup plugins. Allows saving backups on cloud services such as Google Drive, Dropbox, Amazon S3, and FTP.
• BackupBuddy: A premium solution with advanced recovery and migration options.
• WPVivid Backup: A free alternative with support for incremental backups.
• Jetpack Backup: Real-time backups with fast recovery, ideal for eCommerce or dynamic content sites.

Manual Backup via Terminal

Backup WordPress Files:
tar -czvf backup-wordpress.tar.gz /path/to/wordpress/folder

Backup MySQL Database:
mysqldump -u user -p database_name > backup-db.sql

Database Restoration in Case of Emergency:
mysql -u user -p database_name < backup-db.sql

IMPORTANT: It is advisable to keep at least three backup versions in different locations to ensure a working copy is always available in case of an attack or human error.

Conclusions

WordPress site security should never be underestimated. The presence of suspicious files in unusual locations can be a clear sign of system compromise, often due to vulnerabilities exploited by attackers through techniques such as Remote Code Execution (RCE), SQL Injection, or outdated plugin exploits.

By analyzing access logs, checking file modification dates, and verifying system permissions, it is possible to identify the source of the attack and prevent further intrusions. The removal of malicious files should be accompanied by a complete security audit, including:

• Regular updates for WordPress, plugins, and themes
• Restricting file and folder permissions to minimize attack surfaces
• Blocking PHP execution in sensitive directories, such as /uploads/
• Continuous monitoring with tools like Wordfence, iThemes Security, and malware scanners
• Regular backups using reliable plugins like UpdraftPlus, ensuring a quick recovery when needed

If suspicious or unknown files are found on your site, it is crucial to act quickly: the longer attackers have access, the more damage they can cause. By following this guide, you can detect and mitigate threats, protecting your WordPress installation and keeping your site secure and operational.