Psst! Have you left a back door open on your website? New WordPress security tool

If you have my favourite WordPress security tool installed, BPS Bulletproof security, you might have started receiving emails with subject lines like this recently:

BPS Alert: Hidden Plugin Folders|Files (HPF) Alert – June 29, 2016 – 8:28 am

If not, you might want to install this security plugin because it is doing a good job of snooping around the back blocks of your website, looking for old (or new) files and folders that shouldn’t be there.

Here’s what it is doing and how you should respond.

WordPress plugins come and go and some leave a trace

One of the most helpful aspects of WordPress is having access to 45,384 plugins that add extra functionality to our websites.

Plugins can add ecommerce, analytics, backups, maps, forms, fancy displays, calculators, forums, etc.

BPS Bulletproof Security has long been my favourite by being like a security guard sitting at the front door of my websites checking visitors in and out. But now it has a new addition to its features turning it into a mobile security guard who pokes around the back end of your website with a torch, looking for doors and windows left open.

This can be very helpful because if you remove a plugin and it doesn’t remove its folder from your web host, it means you have an unnecessary area in the back end of your site that could provide cover for crooks and hacker pests to enter into your website unnoticed.

Worse still, the BPS security guard might actually uncover a completely foreign file or folder created by internet pests, which is better found sooner rather than later.

What to do when the WordPress security tool emails you

If you are running BPS Bulletproof Security, and it finds something suspicious, its emails will contain text like this:

The BPS Hidden Plugin Folders|Files (HPF) Cron has detected a hidden or empty plugin folder or a non-standard WP file or altered file in the /plugins/ folder. To view exact details of what was detected, log into your website and check the Hidden Plugin Folders|Files (HPF) Dashboard Alert.

The first thing to do is to log into your website where it will display a more comprehensive message at the top of ANY admin screen, for example:

BPS Hidden Plugin Folder|Files (HPF) Alert
A plugin folder was found in your /plugins/ folder that is either a hidden plugin (plugin that is not displayed on the WordPress Plugins page) or an empty plugin folder. You can either delete this folder or if you recognize this folder and/or it is safe to ignore this folder you can ignore this folder check by adding the folder name in the Ignore Hidden Plugin Folders & Files textarea box option to make this Alert go away.
Plugin Folder Path: /home/yourname/public_html/
Last Modified Time: January 21, 2016 @ 12:43 pm
Last Change Time: April 24, 2016 @ 6:46 am
Last Access Time: June 29, 2016 @ 4:57 am

If you take an active interest in your website, you will probably recognise the name of the ‘mystery folder’ and be able to log into your cPanel webhosting or use FTP software like Filezilla, hop into your back end and delete the offending file or folder.

However, if you do not recognise it OR you are not sure how to do the above steps, reach out for help from your webmaster ASAP.

It might be something quick, like closing a screen door that is banging in the wind, or it might have uncovered evidence of tampering which will need further investigation and action.

Either way, it is better to have this nosey guard on your site so we can move quickly, than wake up one day to discover your site (and business or reputation) has been trashed.

Today might be a good day to install BPS or start responding to these emails if you’re receiving them.

Can I stop the alerts?

I wouldn’t suggest it however if you discover a particular alert is based on a safe part of your website, you can tell BPS to ignore it and stop sending alerts by copying the path to the file into box called Ignore Hidden Plugin Files & Folders on the index screen for BPS Security, like so:


After pasting that pathway from the BPS alert into the box mentioned, simply click to Save Plugin File/Folder Rules and you’ll stop getting alerts for that particular file or folder.

Safe examples might be error_log folders or files or known folders and files that you want kept on your server.


Image Back door by Frank Michel via Flickr. CC BY 2.0