Malicious File??

If the file is named “hidden.php”, that’s a sign. ?? Take what wordfence is saying seriously.

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Hi+

Thank you very much for the quick response! I appreciate the link to the guide and have already done a lot of what it says (but not all of those suggestions)… Also, I will review the recommended security measures and take appropriate actions.

I do have a follow up to this question. WordFence has flagged a lot of files in wp-admin/css/colors location as “possible malicious” and all of them (except this hidden.php) are named less suspiciously…

wp-admin/css/colors/light/php-brief.php
wp-admin/css/colors/midnight/class-wp-filesystem-ssh2.php
wp-admin/css/colors/midnight/pagination.php
wp-admin/css/colors/sunrise/newsfeed.php

I’m wondering where I can go to verify if these files are all actually part of the wp-admin/css/colors folder or if they’ve been added somehow?

Thanks!

Grab a copy of WordPress from www.ads-software.com and you can see what’s real and what’s not.

But you’re hacked. Just deleting those files will probably not clean your site.

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thank you.

@sterndata, Thank you very much for this list of articles! I am working through things and they are super helpful!