You can recognize from the names of the hack files that they are related to programming; about 50% of the hack files have a logical structure that a programmer would develop.
Some of the most common hack files:
- test.php
- cache.php
- files.php
- options.php
- view.php
- diff.php
- start.php
- plugin.php
Note: These files can also exist in WordPress, so don’t remove them solely based on their names.
How do you identify if it’s a hack file?
In about 90% of the cases, the file contains a messy jumble of code—a base64-encoded code without any logic or formatting.
Where can you find these hack files on your site?
They can be found in any directory. Although the “uploads” directory is a favorite target because it’s often writable, a hacker/hackbot can place files throughout your entire website.
If you want to systematically remove the files:
First, make a backup!
You can divide your WordPress website into 5 parts:
- WordPress core (try to refresh it completely)
- The plugins directory
- The themes directory
- The uploads directory
- The container directories
The plugins directory
This directory should only have an index.php file and the plugins. Refresh the plugins wherever possible, or check the modification dates to find the hack files.
The themes directory
This directory should also have an index.php file and one theme. Remove the themes that you don’t use!
The uploads directory
There should be NO PHP files in this directory. You can remove any PHP file.
The container directories
The “wp-content” directory usually contains only an index.php file and the directories mentioned above (2, 3, 4).
The “languages” directory should only contain language files and no PHP files.
The “upgrade” directory is used only for temporary upgrade files and is usually empty.
In conclusion
Removing all the hack files is a significant task and requires considerable knowledge.
And that’s not even considering the lines of hack code that are injected into your existing files. You can find these by checking the modification dates, and this code is often placed above or below the original code.
The more you know, the easier it is to remove hack files.
Good luck!