New to the community? Start here

Defender reporting many suspicious files

My website is infected with 300+ suspicious files as the defender file scanner shows.

Thu, 6 Feb 2020 21:14:40
More Defender Pro discussions
Defender Pro
  • Predrag Dubajic
    • Support

    Hi Inspira Digital ,

    I have reviewed your installation(s) and there are couple of things to note from there.
    Report from Defender mostly shows files that have .hacked extension at the end of them, this suggests that some kind of cleanup was already attempted and that the suspicious files were renamed and so that they stop being used by WP.

    I also checked your files via FTP and while you have 18 sites there are additional folders that are not related to those installations and since our cleanup depends on Defender file scan we won’t be able to know if there are external folders that contain compromised files since Defender will only scan the current installation and files inside it, it doesn’t scan files outside of WP.

    And from what I saw in chat you don’t have any backups with clean files that could be used to restore the site to a previous clean state.
    I’m afraid that due to all of these we won’t be able to perform the cleanup for you as we don’t know what was already done to try and clean it up, there’s no way to restore to previous clean backups and we don’t know if any of the folders outside of WP are compromised so even if we clean WP site it can get infected again.

    My suggestion is to follow the below steps:
    – Create a backup of all your files on server.
    – Check all folders outside of your WP installation and if they are not used and not needed delete them from your server.
    – Download fresh/clean version of WP from https://wordpress.org/download/
    – Inside your site folders remove all files and folders except for /wp-content/ folder and wp-config.php and .htaccess files.
    – Replace those removed files with the ones from clean WP installation that you downloaded.
    – Replace theme and plugin with fresh versions downloaded from their source (wp.org or their respective sites if it’s a pro plugin/theme) and update everything to the latest version.
    After this is done your server should be clean and once its done I would suggest enabling Defender security tweaks to harden your site.

    Once all of that is done you can run another Defender file scan to check the WP files and if there are any reports left you can let us know here so we can check them out and see what could be done further.

    Best regards,
    Predrag