This is a case of general security. At a minimum do the following steps: Delete the file you found in wp-admin Delete the htaccess file Download the official wordpress from wordpress.org and upload it to your server, overwriting anything it finds. If possible delete the wp-admin and wp-includes folders and any files starting with wp- in the ...