I’ve been looking at my WordPress files and noticed that my PHP files look a little bit bigger than they used to be before. Has my site been hacked?
Inflated files are certainly one way to find out if something is going on with your site. If you’re seeing bigger files the chances are that you’ve been infected by some form of malware. Here’s a quick way you can find out whether this is the case. If you look in your wp-content folder, there’s usually a file called index.php that’s just a placeholder. If should only be a few bytes long and if you open it up you should see this:
If it’s much larger you probably have been a problem on your hands. Here’s what an infected file looks like:
That code you’re looking at is obfuscated PHP, encoded in a way that hides what it does. Different types of malware work in different methods, but most times they scan for other PHP files and infect them too. They normally also have a different payload that appends content to the site, opens attack vectors to other sites, sends spam or some other nefarious purpose.
If you do find something like this you’ll need to start cleaning up your site, removing infected files and either cleaning them manually or replacing them with original copies. Hopefully the infection wouldn’t have spread too far.
So, how do you avoid this sort of thing happening. The key is to make sure your site is always updated. WordPress updates, theme updates, plugin updates; all of these need to be applied as soon as possible. Yes, there’s a risk that some of the site functionality may be compromised or impacted in some way; but dealing with that issue is preferable to having to clean up a messed up site, believe me I’ve cleaned up a number of these. Anyway, if you need help cleaning one up, just leave me a comment!