Look at these files! Is my site hacked? Are these files are supposed to be there?

The Unrecognised File Scanner is designed to do 1 thing:

Find and report on any files in your core WordPress directories that do not belong to the original core files as distributed from WordPress.org

If it reports on a file that you believe to be legitimate for any reason whatsoever, that doesn't mean the system is broken. It means that you're storing, whether you realised it or not, non-WordPress core files in the core WordPress directories.

To prevent any further emails about these files (or any other files), your only option is to switch off the Unrecognised File Scanner. To do this:

  1. Go to the 'Hack Guard' module inside the Shield Security plugin within WordPress
  2. Click the 'Unrecognised Files Scanner' tab.
  3. Change the first option to 'Disabled'
  4. Click 'Save' button

We, the people at iControlWP/Shield, don't know whether these files on your site are valid, if they should be there, if they're hacked files, or whatever they could be.

As the site administrator, it's your role to now investigate and determine what they are and if you need to do anything about them. We cannot answer that question for you.

Before you received these emails you were unaware that non-standard WordPress files were present in your WordPress core directories. Perhaps they're fine.  If you think they're fine, you can turn off the scan as outlined above.

Another type of file that is found in the core directories is the PHP error log.

What is the PHP error log file?

There are different types of errors, and depending on the nature of your site, you'll want easy access to them. These errors can be simply notices or warnings, or they could be more serious and even "fatal".

PHP will output these errors to a file, or even to the screen (your web page), or do both, depending on how it's configured.

How errors are handled is up to you. You can change what gets logged, and where they're output to.

How to handle PHP errors?

There are many ways to handle PHP errors. Here are the simplest ones:

  • tell PHP whether or not to display errors e.g. output them to your web pages
  • tell PHP which error levels to output 
  • tell PHP which file to output the errors to
  • tell PHP not to log any errors!

Find out here on how to make PHP errors behave just how you want them to.