shell.php user.php fake .php

Those are standard Bot recon probes to check if your website is hacked. 99% of hacking is automated using Bots. You can ignore those 404 errors since the hacker files don’t exist and Google will not penalize you for those 404 errors.

Hacker bot probes occur every day all day long. You don’t need to be concerned about them at all. I will post some htaccess code to block these bot probes, but what is most important for you to understand is the bot probes are meaningless and do not cause any problems for websites. So the best thing to do is just to ignore them.

This code will block specific filenames. Replace filename.php with the actual filenames you would like to block. Filenames are separated by the pipe operator | which means “or” in htaccess code. Add this code in BPS Root Custom Code text box: 14. CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE

Click the Save Root Custom Code button to save the code. Activate Root folder BulletProof Mode to have this code written to your root htaccess file. You will repeat that process each time you edit this code.

# BEGIN BPS DENY ACCESS TO FILES
<FilesMatch "^(filename\.php|filename\.php|filename\.php)">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
<IfModule mod_access_compat.c>
Order Allow,Deny
Deny from all
</IfModule>
</IfModule>
</FilesMatch>
# END BPS DENY ACCESS TO FILES