configCache.php File and wp-checking.php File

  • Hi,

    I’ve been noticing (through another security plugin) for a while now, that around once a week there is a file called ‘wp-checking.php’ which is full of gobbledegook gets added somehow to my website files.

    It’s a simple process to delete it via Filezilla, so it’s more an inconvenience rather than a death defying threat at the moment, though a full solution or explanation would be most welcome!

    I also happened to notice this entry in the same logs though, right after the wp-checking.php file addition:

    File modified wp-content/plugins/wordfence/tmp/configCache.php (old size: 1537, new size: 1537)

    The reason I’m checking here is that it’s obviously a modification to a Wordfence file.

    Both the files mentioned in this post were added via the ip:

    127.0.0.1

    …which is supposedly a Localhost address.

    Are either or both of these files legit?

    https://www.ads-software.com/plugins/wordfence/

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hello steveraven,
    wp-checking.php is not a Wordfence file and I suspect the “gobbledegook” might be an exploit. Set Wordfence scanning options to include as much as possible (high sensitivity, files outside of WordPress directory) and run a full scan on your site. If that doesn’t give you any answers you also want to check wp-config and compare it to a fresh one downloaded from WordPress to see if there is anything suspicious in there.

    configCache.php is indeed a Wordfence file. I’m unsure if the changes to it are directly related to “wp-checking.php” but it’s possible. Next time you see “wp-checking.php” appear could you download it via FTP and email a copy of it as an attachment to [email protected]? Please include a reference to this forum post in the email. Thanks in advance!

    Thread Starter steveraven

    (@steveraven)

    Sure, just started the high sensitivity scan, and as soon as a new wp-checking appears, I’ll send it over.

    I am having this same issue. I delete the wp-checking.php and comes back after some time. I will report if I find something as well.

    Hello both of you,
    In addition to WordPress own information about hacked sites we have some articles related to figuring out if your site has been hacked and how to clean it. Maybe some of this information will be helpful.

    Usually evidence of how the website was hacked would show up in the HTTP or FTP log files for the website, have either of you reviewed those yet?

    Your site was hacked, it was most likely due to an exploit with the plugin wp-mobile-detector.

    It happened on 05/31 to a ton of people, i was also a casualty of it, with 500 sites, at least 150 of mine were infected, and it jumps to other sites within your account.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘configCache.php File and wp-checking.php File’ is closed to new replies.