Title: replace hacked files Last modified: March 18, 2017 --- # replace hacked files * [jhaber31](https://wordpress.org/support/users/jhaber31/) * (@jhaber31) * [9 years, 2 months ago](https://wordpress.org/support/topic/replace-hacked-files/) * _[ Moderator note: [moved to Fixing WordPress](https://wordpress.org/support/topic/wheres-my-topic-gone?replies=1&view=all).]_ * I got a call from my Web host, FatFow, saying that my site had been hacked. I can’t swear that they’re not just trying to sell me security, since the site looks normal, but I’m of course worried. They provided two scan files. One identified no problems. The other pointed to footer.php, at least to my eyes, plainly benign. Yet it also pointed to a /blog/wp-includes/index/log file, and I don’t have the expertise to judge this one. * I’ve updated WordPress and all plug-ins, which may have overwritten problematic files already. But can I obtain clean copies of the needed files if that’s needed? Of course, I can copy here the text of the log file if it helps, and apologies if I have asked this before, since FatCow has raised odd alarms before. Viewing 4 replies - 1 through 4 (of 4 total) * Moderator [t-p](https://wordpress.org/support/users/t-p/) * (@t-p) * [9 years, 2 months ago](https://wordpress.org/support/topic/replace-hacked-files/#post-8928312) * – The [Exploit Scanner](https://wordpress.org/plugins/exploit-scanner/) plugin can help detect damage so that it can be cleaned up. Here is an another online scanner to check for exploits and malware: [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/). Other things you should do: - Change passwords for all users, especially Administrators and Editors. - If you upload files to your site via FTP, change your FTP password. - Re-install the latest version of WordPress. - Make sure all of your plugins and themes are up-to-date. - Update your [security keys](https://codex.wordpress.org/Editing_wp- config.php#Security_Keys). - See FAQ [My Site Was Hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked). * – Just cleaning out files isn’t enough. When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * Thread Starter [jhaber31](https://wordpress.org/support/users/jhaber31/) * (@jhaber31) * [9 years, 2 months ago](https://wordpress.org/support/topic/replace-hacked-files/#post-8929346) * Thanks, but I’ve read the standard document as you mention and indeed cite pretty much verbatim, and you may have misread the question. We have already scanned and pinned any issues down to two files. * I want to see if I can obtain clean copies of those two — or if I already have from the upgrades yesterday. (Note that I also updated all plugins and themes, including themes I would never use.) I want to avoid if I possibly can installing WordPress again from scratch, because it would be time consuming but also because I’m scared that I’d fail to replicate my site, which had assistance. I’ve backed up files, both by exporting my data with the export tool and by copying via ftp various folders to my computer. But then, of course, I’d be afraid to upload any files that might be themselves the problem. * Thread Starter [jhaber31](https://wordpress.org/support/users/jhaber31/) * (@jhaber31) * [9 years, 2 months ago](https://wordpress.org/support/topic/replace-hacked-files/#post-8929861) * To put it another way, what does that index/log file do, and can I easily replace it or even delete it hoping that WordPress will regenerate it? I’ve also since installed a security plug-in and activated its firewall. * Thread Starter [jhaber31](https://wordpress.org/support/users/jhaber31/) * (@jhaber31) * [9 years, 2 months ago](https://wordpress.org/support/topic/replace-hacked-files/#post-8931378) * Let me add a couple of things that might help and might require your expertise. * First I examined the two files to see if I can understand what they do. Frankly, I can’t, but I’ll say footer.php has two short sections. One is * and the other involves sape_links. While they look benign at first glance, to do with fonts and such, I Googled for SAPE and saw only old hits variously describing it as a Russian network or conversely something useful in SEO. The other file, index/log, has one long section beginning class SAPE_globals. Does this sound dangerous? I should say that the index subfolder contains over 200 files, all ending links.db and with my domain name in the file name. * Second, I downloaded the WordPress zip file to my computer. I see that the corresponding folder has neither a footer.php file nor an index subfolder. Given that, should I take a shot at deleting both and seeing if that solves the problem without crippling my site? Thank you. Of course, again, I’ve updated WordPress, plug- ins, and themes; changed passwords, and also added the All in One Security plug- in and activated its basic firewall. - This reply was modified 9 years, 2 months ago by [jhaber31](https://wordpress.org/support/users/jhaber31/). Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘replace hacked files’ is closed to new replies. ## Tags * [infection](https://wordpress.org/support/topic-tag/infection/) * [Log file](https://wordpress.org/support/topic-tag/log-file/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 4 replies * 2 participants * Last reply from: [jhaber31](https://wordpress.org/support/users/jhaber31/) * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/replace-hacked-files/#post-8931378) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics