This is one of the most common questions from Nixzoehost customers when they see a security alert. Understanding the difference is vital because it changes how you should "clean" your site.
Think of your website like a house: a malicious file is an intruder who broke in, while a compromised file is a trusted family member who has been tricked or "brainwashed."
1. Malicious Files (The "Intruders")
A malicious file is a piece of code that should not exist on your server. It was never part of WordPress, your theme, or your plugins. A hacker uploaded it to do damage.
-
Common Examples: "Backdoors" (which let hackers back in later), "Mailers" (used to send thousands of spam emails from your account), or "Scrapers" (used to steal your database).
-
Appearance: Usually has a strange name like
x23kjs.phpor hides inside a folder likewp-content/uploads/2026/04/shell.php. -
The Fix: These should be deleted immediately. They serve no purpose for your websites functionality.
2. Compromised Files (The "Victims")
A compromised file is a legitimate file that is part of your website (like index.php or functions.php) but has been edited by a hacker. They have "injected" their bad code into your good code.
-
Common Examples: A hacker might add a single line of code to your header that redirects your visitors to a gambling site, but the rest of the file still runs your website.
-
Appearance: The filename looks normal (e.g.,
wp-config.php), but if you look inside, there is a block of "gibberish" or encrypted text at the top. -
The Fix: Do not delete these. If you delete a compromised
index.php, your website will stop working (the "White Screen of Death"). Instead, you must clean the file by removing the bad code or restore it from a clean Nixzoehost backup.