Title: .php.suspected
Last modified: August 31, 2016

---

# .php.suspected

 *  Resolved [electroset](https://wordpress.org/support/users/electroset/)
 * (@electroset)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/)
 * Wordfence Scan is coming back clean, but Im manually finding files that have 
   been renamed to xxx.php.suspected
    I can find reference to this problem online,
   but no easy fix is offered. I can’t open those ‘suspected’ files in Dreamweaver
   as it says they are not valid files. Should Worfence pick these files up and 
   alert me that additional files have been created? Anyone have a current solution
   to this apparent hack? Im running the latest of everything. Worfence scans clean.
   Filenames are then changed and my site starts sending spam. 🙁
 * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/)

Viewing 5 replies - 1 through 5 (of 5 total)

 *  [wflandon](https://wordpress.org/support/users/wflandon/)
 * (@wflandon)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/#post-7417188)
 * Hi electroset,
 * I am not sure why Wordfence is not finding those, but we will look into it.
 * It does seems to be an exploit of some kind. You should read this thread. [https://wordpress.org/support/topic/link-templatephpsuspected/page/2?replies=60](https://wordpress.org/support/topic/link-templatephpsuspected/page/2?replies=60)
   There are some suggestions in there on how to clean your site. You can also contact
   your host to see if they can help identify the source of the problem.
 *  [whitefirdesign](https://wordpress.org/support/users/whitefirdesign/)
 * (@whitefirdesign)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/#post-7417189)
 * From what we have seen, files with a .suspected extension would usually be files
   that your web hosts had identified as possibly being malicious and renamed so
   they can not be run. The web host may also change the permissions so that they
   can not accessed by you or software running on the website. Have you contacted
   your web host to see if they know anything about them?
 * Usually evidence of how a website is being hacked would show up in the HTTP or
   FTP log files for the website, have you reviewed those yet?
 *  [mountainguy2](https://wordpress.org/support/users/mountainguy2/)
 * (@mountainguy2)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/#post-7417190)
 * Electro, to open those files just change the extension to something Dreamweaver
   is set up to edit. I usually use .txt. I’ve used Dreamweaver for years, in my
   ver, use Preferences/FileTypes/Open-in-Code-View to get it set up for working
   on modern WordPress websites .txt and .php, etcetera. Add .htaccess as a file
   extension while you’re at it and you’ll be able to edit those as well…
 * Hope that helps. (Am assuming you download the files to your local site image,
   re Dreamweaver work flow.)
 * MTN
 *  Thread Starter [electroset](https://wordpress.org/support/users/electroset/)
 * (@electroset)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/#post-7417196)
 * Thanks for your suggestions. From my research, it became obvious it’s a nasty
   website hack, with those effected not 100 sure how they got it; many reporting
   ongoing problems.
    It was a relatively small site, so I copied page text and 
   images folder, deleted the domain, and started from scratch. Annoying… but the
   safest way for me to confirm there was no sleeper code. Wordfence was the first
   plugin activated, so Im sure Im better protected than before. 🙂 Thanks.
 *  [wflandon](https://wordpress.org/support/users/wflandon/)
 * (@wflandon)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/#post-7417197)
 * Hopefully you are good to go now!
 * Marking this post resolved. Feel free to update it if you have anything to add.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘.php.suspected’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 5 replies
 * 4 participants
 * Last reply from: [wflandon](https://wordpress.org/support/users/wflandon/)
 * Last activity: [9 years, 11 months ago](https://wordpress.org/support/topic/phpsuspected/#post-7417197)
 * Status: resolved