How to Find and Clean Backdoors in a Hacked WordPress Site
There are times when you have your WordPress website cleaned up and the attacker is still able to gain access. This happens if you did not clean it up properly and there was a backdoor created by the hacker which allowed a bypass of normal authentication. In this article, we will show you how to find a backdoor in a hacked WordPress site and fix it.
What is a Backdoor?
Backdoor simply means bypassing normal authentication and gaining remote access the server while remaining undetected. Most smart hackers always upload the backdoor as the first thing. This allows them to regain access even after you find and remove the exploited plugin. Backdoors often survive the upgrades, so your site is vulnerable until you clean this up.
Some backdoors simply allow users to create hidden admin username. The more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged User Interface (UI) that allows them to send emails as your server, execute SQL queries, and everything else they want to do.
Where Do Hackers Hide BackDoor Codes?
Backdoors on a WordPress install are most commonly stored in the following locations:
Themes – Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. This is why we recommend deleting all the inactive themes.
Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
Uploads Directory – You never really want to check your uploads directory. Of course, you really do not find a reason to do so. Why would you? You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Moreover, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target.
wp-config.php – This is also one of the highly targeted files by the hackers.
Includes Folder – /wp-includes/ folder is another place that we find backdoors.
In all cases, the backdoor is most likely disguised to look like a WordPress file.
For example: the backdoor can be in wp-includes folder, and called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. IYou can also find a php file named hello.php in the uploads folder. It is disguised as the Hello Dolly plugin.
It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).
Now you are probably thinking that WordPress is insecure because it allows for backdoors. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor.
It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider.
You will also want to read:
How to Clean the Backdoor
Cleaning up the backdoor is as easy as deleting the file or code. The difficult task is finding it. You can start with one of the following malware scanner WordPress plugins. Out of those, we recommend Sucuri.
You can also use the Exploit Scanner, but remember that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code.
Recommendation: The best thing you can do is delete your plugins directory, and reinstall your plugins from scratch. Yes,, this is the only way you can be sure unless you have a lot of time to spend.
Search the Uploads Directory
One of the scanner plugins will find a rogue file in the uploads folder. But if you are familiar with SSH, then you just need to write the following command:
find uploads -name "*.php" -print
There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, delete it
Delete Inactive Themes
As mentioned above, often the inactive themes are targeted. The best thing to do is delete them.
Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.
Compare this file with the default wp-config-sample.php file and delete any strange file.
Database Scan for Exploits and SPAM
A smart hacker will create numerous backdoor. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database.
Exploit Scanner plugin or Sucuri (paid version) both takes care of that.
Open your browser in an incognito mode to see if the hack comes back. Sometimes, these hackers are smart. They will not show the hack to logged in users. Only logged out users see it. Or better yet, try to change your browser’s useragent as Google. Sometimes, the hackers only want to target the search engines. If all looks great, then you are good to go.
If you want to be 100% sure that there is no hack, then delete your site. And restore it to the point where you know that the hack wasn’t there. This may not be an option for everyone.
How to Prevent a Future Hack
We advice that you keep strong backups (VaultPress or BackupBuddy) and start using a monitoring service. Like we said earlier, you cannot possibly monitor everything that goes on your site when you are doing tons of other things.
Read our article on 5 Reasons Why We Use Sucuri to Improve our WordPress Security
Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.
2-Step up Authentication – If your password got compromised, the user would still need to have the verification code from your phone.
Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
Password Protect WP-Admin – You can password protect the entire directory. You can also limit access by IP.
Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.
Lastly, don’t be cheap when it comes to security. We always say that the best security measure is great backups. Please please please keep good regular backups of your site. Most hosting companies DO NOT do this for you. Use solutions like BackupBuddy or VaultPress. This way if you ever get hacked, you always have a restore point.