WordPress glossary

Trojanized Core File

A WordPress core file (like wp-blog-header.php or wp-load.php) modified to load attacker code on every request.

Last updated 27 June 2026 · Reviewed by Ali Yasin Jatoi

Core files should match the SHA hashes shipped with the matching WordPress version. A trojanized core file passes a casual review because the filename is legitimate, but contains an extra include() or eval() that bootstraps malware. The only reliable fix is to replace every core file from a clean WordPress download of the same version, then re-scan.

Where this applies on our service

WordPress core files trojanized

Related terms

mu-plugin Malware
Malicious code dropped into wp-content/mu-plugins/ so WordPress auto-loads it on every request without showing it in the plugins screen.
wp-adminerlzp Hidden Admin User
A persistence backdoor that re-creates a rogue WordPress administrator with a wp-adminerlzp-style username after every cleanup.
C2 Server (Command and Control)
An external server that compromised WordPress sites beacon to for instructions, payloads, or stolen data.

When this comes up in the wild

WordPress core files trojanized (wp-blog-header, wp-load)Incident playbook
IOC moat: WordPress hack fingerprints we trackIncident playbook

Need this fixed, not just defined?

We have shipped hundreds of fixes for exactly this kind of issue. Book a 20 minute call and we will tell you straight whether it is a quick fix or a bigger root cause.

Book a 20 minute call +92 346 600 8404

mu-plugin Malware 410 Gone

Call Book a call