Mystery File – ssv3_directory.php

WhyIn a recent security scan of a client’s site we found a mystery file located at the root of the WordPress installation. It’s a ssv3_directory.php file.

A little Internet research led me to believe that the file was installed by BlueHost. So I asked them about it today.

The technical representative that I chatted with was familiar with the file and said that it shouldn’t be deleted because it might cause “random” WordPress issues.

When I pressed for more details he stated the file was, “generated by installing Plugins or themes on your WordPress so, you can not find the file in while the WordPress installation.”

In other words, the rep believes that the file was not added by BlueHost, but was instead installed by WordPress when a plugin or theme was added to an installation.

I’m not buying it. My guess is that it’s a BlueHost file. After all, they are the company that installed a plugin on all of their customer’s hosting accounts to update WordPress software. (If you have a BlueHost hosting account you can find it at wp-content/mu-plugins/sso.php.)

What does the ssv3_directory.php file do? I still don’t know.

My advice is that if you’re still using BlueHost as a hosting company, keep the ssv3_directory.php file in place. If you’ve moved from BlueHost to another website host, then make a backup copy of the file for safekeeping. Make a complete backup of your site. Then delete the ssv3_directory.php file on your server. Take a look at your site and watch for “random WordPress issues.”


  1. I just came across this today on a client’s site as well. Generally SSO stands for Single Sign On. So I looked at the code of sso.php and that’s exactly what it is. Bluehost allows you to login directly from the Bluehost admin panel and this plugin facilitates that. You can remove it. It just will not allow you to click on “login to site” from bluehost and log you right into your website. Since my client uses 2FA anyway, the plugin is essentially pointless.

  2. Forgot to also mention, my other comment was regarding the SSO.php

    As for the ssv3_directory.php, yep you’re gonna want to leave that where it is, if on Bluehost. From what I can tell, what it does is detect whether or not the error documents are present or not and adds them in if they are not. If you were to delete the error documents (*.shtml files & cgi-bin directory), then this file would force them to re-generate.

    1. Author

      Great information! Thanks for commenting!

  3. I know this was a couple years ago, but I wanted to let you know that this helped me out also. We’re on our own since tier 1 & 2 support has been transferred to the Philippines and there’s an enormous language barrier and general competence issue when calling.

Leave a Reply

Your email address will not be published. Required fields are marked *