STEP 3: Review and Remove Erroneous Files
The next step is tedious and may reap no results. However, it’s probably the most critical. We’ll be searching for any files that look out of the ordinary or wouldn’t exist in a fresh WordPress installation. Therefore, you’ll need to download a copy of the WordPress installation files to compare files and folders.
1) Download clean copy of WordPress – or – if your site was not running on the latest version of WordPress, download that previous version here (though, why wouldn’t you want to be on the latest?).
2) FTP to your site’s root directory – this is where the directories wp-admin and wp-content are located as well as the file wp-config.php.
3) Starting with /wp-admin folder, compare each file with the fresh installation files. Continue with /wp-includes.
4) Continue with /wp-content folders and files. Within it are your /themes, /plugins, and /uploads folders. This is where many of the unsafe files are sometimes found so be thorough in your investigation.
5) For any files found that do not correspond to the fresh install files, delete them. Said differently, delete any files that are not WordPress related. Here are some filenames others have encountered, however it’s not necessary for such files to have exactly the same name as those listed below:
Examples of files / filenames containing malware (not a comprehensive list):
- any .exe file within wp-Includes/js/jquery folder
- nod32security.exe
- wp-admin/upd.php
- /wp-content/upd.php
- abcdefxyz9534adcgfedcbaa.php (or similarly named/structured files)
- external_{MD5Hash}.php
- any reference to counter-wordpress.com should be removed from all html/php files
That should give you an idea of just what constitutes as a strange or erroneous file.