?ver=' type='text/css' media='all' />

Wordfence: Files found that don't belong to WordPress Core or known Themes and Plugins.

Please note: To use this utility, you must enable scanning of Core, Theme and Plugin files on the Wordfence options page. Theme scanning is currently disabled. '; } ?> Plugin scanning is currently disabled. '; } ?> If you don't have core, theme and plugin scanning enabled, then the list below will not be very useful because Wordfence won't recognize known core, theme and plugin files. If you have the option enabled to "Scan files outside your WordPress installation" enabled, then you may find that this list is very long because it will include files in all your directories.

What is in this list: When Wordfence does a scan, it separates files on your system into two lists. The first list is files that belong to WordPress Core or a known theme or plugin. The second list is all other files.

If a file belongs to WordPress Core or a known theme or plugin, we do an integrity check and let you know if it has been modified. The integrity check we do on known Core, theme and plugin files is a very reliable way to detect compromised files. It is impossible as far as we know for a hacker to fool this scan because we are comparing your files to known originals on our secure scanning servers. If the file is modified, we let you know with a warning or critical alert in the scan results.

If the file does not belong to WordPress Core or a known theme or plugin, we scan it for security problems. We have a pretty good detection rate for this second scan, but for very advanced or sneaky attacks our admin's sometimes prefer to examine these files by hand. If you would like to look at these non-integrity checked files, we provide you with the list below. You can click on any file to view the contents and see if it has been hacked.

Files that you will find in this list are:

Files belonging to commercial themes that are not in the open source WordPress theme repository
Files belonging to commercial plugins that are not in the open source WordPress repository
Files created by themes or plugins
Files created by you on your WordPress installation by uploading them through WordPress or a utility like FTP or SFTP
Files that a hacker put on your system to create a back-door, distribute spam or for another nefarious purpose.

How to use this list to clean your system if it is infected:

First sort by most recently modified files by clicking the "Last Modified" column. You may have to click it twice.
Examine recently modified files by clicking them to view the file and check if it is infected. This is often the most reliable way to find an infection.
Then sort by "Full File Path" and look at files that aren't one of your custom themes or plugins.
Note that custom themes and plugins live in the /wp-content/themes/ and /wp-content/plugins directories.
Then start going through your themes and plugins to see if they are infected.

Files that don't belong to WordPress Core, or to a theme or plugin in the WordPress Repository:

0){ $filenameLen = unpack('n', substr($fileList, 0, 2)); $filenameLen = $filenameLen[1]; if($filenameLen > 1000 || $filenameLen < 1){ continue; } $file = substr($fileList, 2, $filenameLen); $fileList = substr($fileList, 2 + $filenameLen); $fullFile = $path . $file; if(! file_exists($fullFile)){ continue; } $fileExt = ''; if(preg_match('/\.([a-zA-Z\d\-]{1,7})$/', $file, $matches)){ $fileExt = strtolower($matches[1]); } $isPHP = false; if(preg_match('/^(?:php|phtml|php\d+)$/', $fileExt)){ $isPHP = true; } // http://test3.com/?_wfsf=view&nonce=c1ad72bcbd&file=wp-content%2Fplugins%2Fwordfence%2Flib%2Fmenu_options.php $viewLink = wfUtils::siteURLRelative() . '?_wfsf=view&nonce=' . wp_create_nonce('wp-ajax') . '&file=' . urlencode($file); $stat = stat($fullFile); if(function_exists('posix_getpwuid')){ $owner = posix_getpwuid($stat['uid']); $owner = $owner['name']; } else { $owner = "unknown"; } if(function_exists('posix_getgrgid')){ $group = posix_getgrgid($stat['gid']); $group = $group['name']; } else { $group = 'unknown'; } $perms = substr(sprintf('%o', fileperms($fullFile)), -4); $files[] = array($file, $fullFile, $stat['size'], $stat['mtime'], $viewLink, $owner, $group, $perms); } function wfUKFcmp($a, $b){ $idx = $_GET['sort'] ? $_GET['sort'] : 2; if($_GET['dir'] == 'rev'){ $tmp = $a; $a = $b; $b = $tmp; } $type = 'num'; if($idx == 1 || $idx == 5 || $idx == 6 || $idx == 7){ $type = 'str'; } if($a[$idx] == $b[$idx]){ return 0; } if($type == 'num'){ return ($a[$idx] < $b[$idx]) ? -1 : 1; } else { return strcmp($a[$idx], $b[$idx]); } } usort($files, 'wfUKFcmp'); $sortLink = wfUtils::siteURLRelative() . '?_wfsf=unknownFiles&nonce=' . wp_create_nonce('wp-ajax') . '&sort='; $sortIDX = $_GET['sort']; if(! $sortIDX){ $sortIDX = 2; } $sortDir = $_GET['dir']; if(! $sortDir){ $sortDir = 'fwd'; } ?>

All columns are sortable. Click the heading to sort a column. Click again to sort in reverse direction.
If you are cleaning a hacked site, start by sorting files by most recently modified and view those files first.

'; } echo "

File Size in Bytes	Last modified	Owner	Group	Permissions	Full file path
' . wfUtils::formatBytes($files[$i][2]) . '	' . wfUtils::makeTimeAgo(time() - $files[$i][3]) . ' ago.	' . $files[$i][5] . '	' . $files[$i][6] . '	' . $files[$i][7] . '	' . $files[$i][1] . '

"; } else { ?>

You either have not completed a scan recently, or there were no files found on your system that are not in the WordPress official repository for Core files, themes and plugins.