Strange File

An unknown file that’s base64 encoded that you cannot remove is a good sign that your site has been hacked. I recommend working through the steps outlined in FAQ My Site was Hacked.

Hi @webmistressofthedark
If you are facing issue with this file then contact your host and ask them to remove that file. Also, you can try with giving 777 permission to this file.

Thank you. I do know HOW to delete it, but the problem is it just keeps coming back!

What does 777 allow? How will that affect it? Is that giving me edit/delete rights or something?

I tried that but it keeps re-appearing on refresh.

Should I try removing ALL permissions so it cannot execute?

• This reply was modified 4 days, 20 hours ago by webmistressofthedark. Reason: Added info

@bcworkz that page you gave me has no information on how to fix this.

Your project is beeing hacked. After reading the article mentioned above, I would recommend checking whether you still have a clean backup. If necessary, ask the support of your hoster. If so, delete all files and the database and restore the backup. Then change all access data in the hosting. This should solve the problem.

Finally, you should secure your project. This is described in more detail in the article here: https://www.ads-software.com/documentation/article/hardening-wordpress/

If you need personal help at any point, try contacting your hoster’s support first. Alternatively, you may also find someone here: https://jobs.wordpress.net/

As threadi said (and as covered in the Find and remove the hack section of the page I linked to), wiping clean and restoring from backup is the best fix. If you don’t have a usable backup, there are services you can hire that can usually rid your site of common hacks without damaging most of your data. For example Sucuri.net. Just an example, not a recommendation, there are several services to choose from.

It’s sometimes possible for those with some technical know how to clean their own sites of relatively simple hacks despite no backups, but many hacks involve hidden backdoors which are notoriously difficult to find and remove. Professional help is often necessary.

I did have Securi scan and they said no hacks. The issue is the file won’t STAY deleted.

I have tried deleting the content, changing permissions, but perhaps I should change the name?

This was a problem site I never should have taken over… someone else’s problems.

I had two sites that I created and they were not harmed, and I removed some redirection files and had Google remove them from search although they didn’t seem to exist and nothing was harmed on the pages. I updated, removed any bogus users, and those are OK.

Thanks for all your suggestions. I appreciate it.

Which Sucuri scanner did you use? The online site check or the one that’s installed on your server and can scan source code? The online site check can only see symptoms of a breach from content that’s served out to users. It cannot scan what’s going on internally with your server. The chance of a false negative finding is high.

You can try changing the name. I’d expect a copy with the current name to appear some time afterwards. Even if it does not appear, the problem code still resides on your server. It’s not that difficult for malicious code to find its companion file regardless of what it’s named. Even if a copy does not appear, you still ought to delete the renamed file, after which the file will likely reappear.

I don’t doubt that you’ve actually deleted the file. The fact it keeps returning means there’s other code somewhere causing it to reappear. Unless you can rid the site of this other code you will not make any progress towards resolution. This mystery file is only part of your problem here.

One relatively simple thing you can try to clean the site is to manually “update” all core files. Even if it’s to the same version. The point is to replace all files from a fresh download. Do not use the Reinstall WP button on the updates admin screen. You must use FTP or your hosting file manager. This can effectively clean some rather crude hacks. Better hacks know enough to not hide in core files.

This article describes what you could be up against in cleaning out all malicious code. It’s pretty old at this point, but still applicable. If anything, hacks have gotten even more stubborn at staying in place.