Upgrades to WordPress are important to keep hackers from destroying your site and your index status on Google Search. After upgrading to WordPress 3.5 there were some preexisting files that should also be deleted. These now unused files can be hijacked by hackers to damage your site. It is best to delete or move these files from your WP directories.
An automated WP upgrade makes life much easier for everyone, newby or expert. The upgrade process will add new files and replace existing files. It cannot, however, delete previous WP version files the new version no longer uses. This gives hackers the opportunity to exploit the upgrade process by using these unnecessary old files and infect your newly upgraded WP site. Who would suspect that a WP file from the previous version would be infected, especially after a fresh upgrade? Removing these old files should not affect your new WP installation because if the new WP needed the file it would have been included in the upgrade. Extra files can be used to damage your site by the insidious Pharma Hack bug.
To find out if your WP installation has any unnecessary files, download a WP copy to your hard disk and expand it. Do not install it. Then use a program like Filezilla to compare, directory by directory, your installation. Filezilla has a ctrl-O feature that will highlight any differences it finds, such as extra files. You do need to do every directory and subdirectory. Alternately to the ctrl-O is that you can compare the number of files and their total size. If these are exactly the same, then you are safe. This directory comparison does take a long time, but it guarantees your WP installation is Ok, with no extra files.
Here are the unnecessary files I found when I upgraded to WordPress 3.5:
fantversion.php
wp-app.php
wp-admin/options-privacy.php
wp-admin/js/utils.js
wp-includes/class-wp-atom-server.php
wp-includes/js/tinymce/themes/advanced/skins/wp_theme/ui.css
You should be able to leave unnecessary graphics files, as they seem to be pretty benign but remove the .php, .js and other executable files. Hackers can inject code into these files and run them.
The alternative to all this file comparisons after upgrade is to delete your WP installation and then reinstall. The risk here is that you might unknowingly delete necessary files, which you would have to recreate. I would rather not take this risk.
Good luck, and a Pharma Hack pox on your enemies.
Thanks… this was really helpful. I had some sort of ‘ p class = “nemonn” ‘ hack injected in the header file of a custom theme, and am looking for the ‘back door’ file that they injected other code into. (Still working on that!) Anyway, this listing is handy to help tidy up and prevent future problems! I found other files left over from a 3.4 upgrade 2 yrs ago in the main directory, too. Ugh!
[Don: Yes, those automatic one button WordPress upgrades are convenient but leave old php files behind for hackers to exploit. Also check your plugins and themes very carefully, comparing them to originals downloaded to your hard disk. I just found suspicious php and pearl script code in the uploads section, which should normally store photos and such. These hackers are resourceful, but with persistence you can harden your WordPress install.]