For me as a WordPress specialist, it’s easy to see which files don’t belong on the server. But there are also several ways you can recognize a virus file or a spam file!
This is how you recognize a virus file
- The file has a different modification date on the server.
All files have the modification date from when you installed WordPress, but the virus file has a more recent date. - The file has a code that is unreadable, all numbers and letters mixed together.
The file is often encrypted, All you can read then is eval65. This is the encoding after which the numbers and letters come. The server executes this strange code like regular php but it is not readable to humans like regular php is. - The file has a strange name.
Since files should not be recognizable by virus scanners from the server, the name is generated so you get random letters and numbers as the file name. - Often the file is located in the httpdocs/root of the website.
Since directories change quite often, the hacking scripts often target the root directory of your website. But there is also a fairly good chance that there are multiple files. Consider the wp-includes folder and the uploads folder. - The file is 9-of-the-10x a .php file.
Php files can execute scripts, which is why they are usually php files and very occasionally html.
These are some ways to recognize files put on your server by a script. However, if your WordPress is leaky, they can also inject lines of code into your existing files. These are therefore more difficult to detect.
They often put the lines of code in the index.php, the header.php or in the WordPress core files.
Beware! Once you have removed the files, the problem is not solved. After that, it is important that you secure WordPress and make sure there is no more code in your website. This is because if there is a so-called backdoor in your website, they can still place files on your server through that route. And yes, this unfortunately happens often.