It isn’t normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content
and easily writable is uploads
, or whatever they are customized to.
If it appears malicious, behaves malicious, and security tool thinks its malicious — it’s a safe guess that it is. It also might not be malicious itself, but used as part of malicious payload for utility purposes (open source! :).
Related Posts:
- What is the difference between a cer, pvk, and pfx file?
- How to solve “Kernel panic – not syncing – Attempted to kill init” — without erasing any user data
- What’s the best approach for generating a new API key?
- Is it possible to decrypt SHA1
- How does the SQL injection from the “Bobby Tables” XKCD comic work?
- Error `sec_error_revoked_certificate` when viewed in Firefox only
- Convert .pfx to .cer
- Why should I use the esc_url?
- Where to securely store API keys and passwords in WordPress?
- Why escape if the_content isnt?
- Full path disclosure on rss-functions.php
- What to use instead of wp_kses() in user output
- Are the default salts secure?
- is_email() VS sanitize_email()
- Subscribe to email for security fixes?
- How to escape custom css?
- Understanding SVG vulnerabilities in WordPress related to a specific fix
- Moving wp-config.php: Can this be done after site launch?
- How to secure or disable the RSS feeds?
- What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
- Disable external access to REST API Endpoint
- Make password invalid once logged out of password-protected page
- How to get WordPress to save upload file beyond web root [closed]
- Is security a problem in WordPress?
- Moving wordpress out of the public directory
- WordPress salts set in config and database
- Logout via Subdomain, non-wordpress page on a different server?
- Disallow file edit not preventing plugin install
- How to secure WordPress XMLRPC?
- Protecting HTML5 video [closed]
- How can I tell who changed the password?
- WordPress website Security [closed]
- Do I need to use the esc_html() function on hard coded links?
- Can’t reset WordPress password
- How to prevent bot or someone to modify any file automatically?
- WordPress Malware Problem help! [duplicate]
- Frontend Password change
- Restrictive File Permissions
- Downloading File from Outside Web Root
- Why are xmlrpc.php and wp-cron.php being called so often?
- Using esc_html with HTML purifier and CSSTidy: Overkill?
- wordfence scan warning on W3 Total Cache [closed]
- site get login attempts after htaccess ip restriction
- Is it good security advice to install wordpress in subdirectory but link to root?
- wp-config.php modified?
- Moving wp-config.php up 2 levels
- How Could I sanitize the receive data from this code
- WordPress SQL Injections through User Agent
- Suspicious Files
- How to save iframe tag into a post?
- How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
- neccessary?
- What permissions should I give directories if I want to make WordPress more secure?
- How to protect wp-admin through .htaccess?
- Something is unescaping all html entities before output to browser [closed]
- my wordpress website is suspended [closed]
- Is wp_kses the right approach in sanitizing this string?
- iTheme Security always lockout my account [closed]
- Is it sensible to worry about sanitizing admin input in plugin custom CSS?
- Renaming install.php for security?
- Is WordPress MultiSite secure & how much can it scale? [closed]
- Limit Login Attempts BEFORE PHP is executed?
- Which Versions of WordPress Ship with the Patched TimThumb?
- Safe to say WordPress security releases don’t have database upgrades
- Use global variables or function that returns said variables for site-wide private-ish WP settings?
- How safe is current_user_can()?
- fail2ban to prevent Brute Force Attacks on WordPress?
- Is it safe to give wordpress directories ownership to www-data?
- Use Google authentication for pages within a website [closed]
- How to give the same error message when the wrong password or wrong username is used?
- should I escape a literal url added in functions.php
- Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
- Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
- Adding Security Keys?
- How might I sanitize an XML file before WP Import? (Does wordpress verify or clean text when importing from an XML document? )
- Secret keys in SCM
- Secure Server after configuration
- Uploading attachment (pdf) and prevent download for anonymous user
- After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
- Specific Page/Post Need to Stay Non SSL
- Block JSON access over the net
- Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
- Scan multiple websites for malware that are in same webhost root?
- The in-famous Unable to locate WordPress Content directory (wp-content) and the Direct Method
- Security: AWS (shared hosting) claims template file malicious
- Why are the latest visits to my website originating from my own website?
- How to check whether a site has been compromised without browsing into it?
- My site thinks it’s secure when it is fact not
- Is it possible to only have the admin interface bind to the local loopback?
- PHP Code Sniffer – WordPress VIP Coding Standards
- Trying to understand nature of hacking
- What is the best security $_POST method?
- Default installation permissions for wp-config.php
- Correct setup to block file modifications from hackers
- Is my WP site being hacked?
- Move data from wp-config to another file
- How do you search for backdoors from the previous IT person?
- Heartbleed: What is it and what are options to mitigate it?
- OpenVPN vs. IPsec – Pros and cons, what to use?
- How to test if my server is vulnerable to the ShellShock bug?