This is just unbelievable! One of my websites had ispprotect (where does it put a log btw anywhere? or just email) flag some files, and I discover to my HORROR that the wp-content/uploads folder (wordpress site) has the 2020/09 folder (it caches by year and month to keep directories from getting too large).. had some real CRAP in it: the .pid file contained a process number and that pid had a title of (you guessed it) [stealth]. the files in the folder all look like linux executables (no doubt) with ELF style headers. all marked executable. now this is in a folder UNDER wp-content/uploads/2020/09 and though I have a .htaccess blocking php execution in wp-content (I believe) nothing seems to block execution of these items in the uploads folder! how on earth did this get to be the case? I terminated the process, rebooted, and moved the tree to hang under root. the root of the wordpress installation had various corrupted files like rindex.php and wp-load.php which are not part of wordpress and have the usual encryptedgibberish contents. anyone have any expertise in hacked wordpress files? I'd surely be willing to pay for some help! I need to understand HOW this happened and hopefully how to prevent it in future?? you think YOU have had a bad week??? cdb.