A few Wordpress blogs I overlook have suddenly generated 3 PHP files in their top folder: wp-app.php, wp-apps.php, and wp-register.php, not of which existed before. Checking their contents against a few Google searches suggests I have been infiltrated by a common Wordpress exploit.
Since they keep regenerating, I thought about blanking them and setting file permissions to readonly or less. But if they're needed by WP I don't want to compromise site functions.
A few Wordpress blogs I overlook have suddenly generated 3 PHP files in their top folder: wp-app.php, wp-apps.php, and wp-register.php, not of which existed before. Checking their contents against a few Google searches suggests I have been infiltrated by a common Wordpress exploit.
Since they keep regenerating, I thought about blanking them and setting file permissions to readonly or less. But if they're needed by WP I don't want to compromise site functions.
Share Improve this question asked Mar 20, 2014 at 17:08 user1729506user1729506 1372 silver badges7 bronze badges3 Answers
Reset to default 2But if they're needed by WP I don't want to compromise site functions.
Those are not Core files.
It is possible that a plugin has added the files legitimately but the behavior described suggests a hack. Recovering from hacks is off-topic here though, as it usually requires hands-on server access and is often very localized.
Google the file names like wp-apps.php and you'll find that they can be hacking files; previous hacks used files of the same name: http://www.google/search?&q=wp-apps.php
"Since they keep regenerating,..." that means they are being uploaded each time or being recreated with another script.
Download a new archive of WordPress and you'll see the standard files and folders and/or see s_ha_dum's link to https://core.trac.wordpress/browser/trunk/src
See FAQ: My site was hacked « WordPress Codex
There is a possibility that is it just an old (old) version of Wordpress which did have a file at the root level called wp-app.php. See below the comment from the header of the file.
wp-app.php - Atom Publishing Protocol support for WordPress
So this is not always a sign of a hack. It may just be a sign that you badly need to upgrade Wordpress (and delete older files left behind from previous versions).