WordPress websites are infected with viruses annually, and the number is only going up. The infection may or may not be persistent. Websites are hacked on average 44 times each day.

Through these hacks, scams and frauds occur by redirecting the infected website’s traffic. These intrusions and hacks may sometimes go unobserved by the owners and developers. A well-planned backdoor helps prevent this persistence.

Thus, security must be a top priority for everyone running a WordPress website. 

Even if you protect your website, hackers often find ways to install a backdoor and get in; unless you get rid of that backdoor, there’s no one stopping them. You find yourself with a hacked WordPress website.

A hacker knows that you will eventually be removing the infections, so they install a backdoor to sneak back in later. 

What happens when your website is hacked

Some early signs of the hack can be a rapid drop in traffic, unknown files, poor performance, unique added links, inability to logins, suspicious sign-ups, a defaced homepage, etc.

This article will guide you on how you can find and fix backdoors in your hacked WordPress website. 

What is a WordPress Backdoor?

Hackers are always looking for ways to inject your WordPress website's backdoor.

Hackers are always looking for ways to inject your WordPress website’s backdoor. The code that allows an attacker a way into the system is somewhere in a malicious file. This unauthorized and persistent access to the server invites corrupted plugins.

These threats can be in your system for longer than you know and often go unnoticed. It is more right-minded to take penetrative measures because later on, it can be a resource and time-consuming to get rid of the backdoors. These damage control measures can delay the attack. 

What Leads to a WordPress Backdoor Hack?

Setting up your WordPress website may seem easy, but the real challenge lies in its security. Multiple loopholes can pave the way for a backdoor, but for clarity’s sake, we can narrow them down to a premium few: 

  • Buggy plugin or a theme.
  • Weak login credentials.
  • Weak file permissions.
  • No security solution or firewalls.
  • Outdated installations.
  • Infected server.

The code for backdoors on a hacked WordPress website is most commonly stored in the following areas:

  1. A WordPress theme, but probably not the one you’re presently operating. Code in a piece is not overwritten when you revise WordPress, so it’s a clean place to put a backdoor.
  2. WordPress plugins are another ideal place to hide a backdoor. 
  3. The uploads folder may contain hundreds or thousands of media files, so it’s another suitable place to secrete a backdoor. 
  4. The wp-config.php file includes sensitive data used to configure WordPress.
  5. The wp-includes folder possesses PHP files needed for WordPress to run flawlessly. It’s another site where we find backdoors because most website proprietors don’t review to see what the folder has.

Where are Backdoors Hidden?

In most cases, the intruders are disguised as some ordinary WordPress file. These are found in the following:

Locating a WordPress Backdoor in WordPress Themes

Hackers often look for an inactive WordPress theme to hide a WordPress backdoor since it is the most appropriate place. Since it is static, you are less likely to look there, making it more accessible for the hacker to create a backdoor.

The functions.php file is responsible for calling native PHP and other functions; hence this file can be used to perform any operation.

Finding a WordPress Backdoor in WordPress Plugins

Often due to buggy plugins, a WordPress backdoor hack occurs. There are sometimes millions of users for a plugin; any bug infected escalates quickly, putting the security of millions of users around the world at risk.

Multiple plugins have been found buggy over the years. To make the corrupt backdoor files look legitimate, they have documented help files. 

Following are some reasons why backdoors infect plugins:

  • Unused plugins are more likely to be infected.
  • Poorly coded, untrusted, and unpopular plugins.
  • Outdated plugins are easy targets.

Discovering a WordPress Backdoor in Installation Files

When the backdoor looks gibberish, there might likely be rouge code in base files. The code is made complex for humans to understand using different techniques. Hence it would be best if you keep an eye for fishy-looking code. There are techniques to make the code more complex.

You should always check all files, even the ones that look legitimate. So, it’s better not to skip the files that look legitimate.

A backdoor named FilesMan is used to hack and steal passwords and other confidential details; you must keep watching it. This backdoor is usually hard to detect and not visible in logs. All you can do is look for the keyword: lifespan. 

How to Find a Backdoor in a Hacked WordPress Website

The first steps in finding a backdoor is scanning for malicious code.

1. Scan for Malicious Code

One of the first steps in finding a backdoor is scanning for malicious code. For that, one should go with the best scanners available.

One of the most recommended scanners is Securi, as it has been delivering satisfactory results. This way, you will be able to detect security breaches in less time.

Here are some other tools you can use to scan for Malicious Code.

  • Quttera. It is a tool that offers free malware scanning for WordPress, Joomla, Drupal, and more platforms.
  • Astra Security. It is a malware scanner that scans your hacked WordPress website and flags malicious links, malware, blacklistings, etc.
  • VirusTotal. With this tool, you can analyze suspicious files, domains, IPs, and URLs to detect malware and malicious code.

2. Delete the WordPress Plugins Folder

What people often do is that they hunt through their plugin folders, looking for suspicious files. But this could be time-consuming and useless as hackers often use sneaky tactics to make it difficult for you to find a backdoor.

So the more preferred way is to remove your plugins directory and reinstall all your plugins from scratch. This way is more effective in assuring if you got backdoors in your plugins.

3. Delete the WordPress Themes Folder

As discussed earlier, searching in folders for backdoors is not helpful and deleting them is the way to go. So delete the themes folder, and you will know if it had a backdoor or not.

After that, you can re-download all the WordPress themes you want or need.

4. Search the Uploads Folder for PHP Files

A further step towards this goal is to go through the uploads folder and confirm that there are no PHP files. PHP files have no business in this folder because it is intended to store media files such as images.

Upon finding a PHP file, one should delete it immediately. Note that you will find many folders for different dates and times you uploaded files. You have to check through all the folders thoroughly. 

5. Delete the .htaccess file

Hackers go to every extent they can. They may integrate redirect codes to your .htaccess file, leading your visitors to another website of the hacker’s choice. To avoid this, you will have to delete your .htaccess files completely.

6. Check the wp-config file

Information that allows WordPress to communicate with the database, the WordPress download security keys and developer options are stored in a core WordPress file known as the wp-config file.

You should skim through the contents to see if anything looks suspicious and not in order. You may use the wp-config-sample.php file found in that same folder for comparison. 

How to Fix WordPress Backdoor Hack?

Update and backup your WordPress website.

1. Use a WordPress Backdoor Scanner

Human error is something we can’t deny. Physically analyzing is not always successful. Automation is the best way to go.

Using WordPress backdoor scanner is not only effective and fast but errorless. These can detect all kinds of backdoors and help you fix these issues quickly. 

2. Update and Backup

Updating your website is highly appreciated and needed. It is one key point that is important to all. Outdated WordPress is as harmful as an infected one.

If one is unsuccessful in tracking down the cause of a backdoor hack, they should restore it from backup after taking a site backup to stand a comparison among the two.

If you have no backup, you should manually update your WordPress website after taking the current site backup to replace core WordPress files with the fresh ones.

Updating your plugins upon getting reported for vulnerability with the plugins is also suggested.

3. Use Server Logs

Server logs can be brought into use to remove WordPress backdoors. See the FTP logs to check the IPs used to connect to your server. You have to check files that have been edited after a specific date. Go through the image folder for executables, if present.

4. Encodings

Some files can be unreadable and modified. You can start the WordPress backdoor hack cleanup by searching for base-64 encodings. Upon using the command: 

find. -name “*.php” -exec grep “base64″‘{}’\; -print &> output.txt

All base64 detections will be listed in output.txt. Now you can decode it to plaintext with the help of online tools. Remove these files or lines to remove backdoors.

How to Prevent Hacks?

Prevent hacks by regular backups, and install security plugins.

1. Regular Backups

We are highly emphasizing this point again and again because of how important it is. If you haven’t done it already, now is the time to do it. This action is compulsory.

Unfortunately, WordPress does not provide a built-in backup solution. However, multiple backup plugins for WordPress allow you to routinely back up and restore your WordPress website.

Some great free backup WordPress plugins are:

2. Install Security Plugins

Once you are working on your business, it is hard to take out time to monitor your website and trace bugs and mishappenings. Also, it is prone to errors as well.

That is why using a security plugin is highly important and valued. It is definitely worth the investment. Make sure you use effective and trusted security plugins.

One of the most used plugins is Securi, as mentioned above.

More free security WordPress plugins worth checking out are:

3. Make Logins More Secure

We know how important it is to make your login credentials foolproof in the digital world. One should make their logins more secure by using solid and confidential passwords.

Avoid using sequence digits, your public information like date of birth, etc., or anything that is easily predicted. You can also take a further step and bring the password manager utility into use.

Furthermore, one should activate two-factor authentication. This will secure your WordPress website against stolen passwords. This means that even if your login credentials are exposed, no intruder will be able to log in to your website.

You can also limit login attempts in WordPress. After several attempts, locking users out will reduce a hacker’s chance of cracking in.

Here are some free WordPress plugins you can use to limit login attempts.

4. Protect the Admin Area

Many common security threats are blocked as you protect the WordPress admin area from unauthorized access. You can use a website application firewall and add another layer of protection to your website’s most crucial entry point by adding password protection.

You can also limit the admin area access to specific IP addresses. Furthermore, you can also log out idle users and limit dashboard access.

5. Disable Themes and Plugin Editors

Many may not know that WordPress comes with a built-in theme and plugin editor. The plain text editor lets you edit your theme and plugin files from the WordPress dashboard.

This can be useful and cause security threats as a hacker can use this built-in editor to access all your WordPress data. To eliminate this, it is suggested to remove all the built-in file editors altogether.

6. Keep the Website Up To Date

Starting and ending on similar points, which is to update. You have probably realized how important it is by now. Every updated version of WordPress is more secure than the outdated one.

Usually, upon finding a security breach or exposure, the WordPress team releases an update to fix the issue. This concludes that if one is not updating their WordPress regularly, they are using the software with known vulnerabilities.

Also, remember to keep your WordPress updated and your WordPress plugins and themes up to date too! 

Conclusion

The Digital world comes in with pros and cons. But with everyday improvements, we are minimizing the cons. Hacking and security breaches have been a part of the digital world ever since.

Still, again you can eliminate or minimize its happening by following the techniques mentioned above and methods.

We hope that the information about a hacked WordPress website provided above was valuable and practical to you and improved your experience with WordPress.

Learn about how to clean up a malware-affected website in our post: How to Clean Up Your Malware Affected WordPress Site.

WordPress

About the Author

Atif Shahab

Author

Atif Shahab is a blogger, social media community management, and influencer marketing Expert. He loves to write about PHP, WordPress, Cloud, Project Management, Marketing, and Data Science. He is a fan of classic music and loves traveling with friends & family.

View All Articles