How to Find and Fix a Backdoor in a Hacked WordPress Site

Your WordPress site may have been hacked, and although you fixed it, the hacker was still able to get back in. This often happens because the hack wasn’t properly cleaned up, or you didn’t know the exact location of the breach. In such cases, hackers create backdoors that allow them to bypass your site’s normal authentication. If you want to know the best way to find and fix a backdoor in a hacked WordPress site, read on.

What is a Backdoor?

First, let’s get on the same page about what a backdoor is. A backdoor is a method used by hackers to bypass normal authentication on a website, allowing them to access the server undetected. Smart hackers often upload the backdoor first, so even if you remove the breached plugin or theme, the hacker can still regain access. Worse still, even if you perform an upgrade, the backdoor will remain, making your site vulnerable to future attacks. Until you clean up the mess for good, your system remains at risk.

How a Hacker Uses a Backdoor to Exploit Your System

A backdoor allows a hacker to create hidden admin usernames to access the system. More complex backdoors enable hackers to run any PHP code sent from the browser. Things get worse with a backdoor featuring a full-fledged user interface, allowing hackers to send emails that appear to come from the server, run SQL queries, and perform other malicious activities.

Hackers often install backdoors in:

• Themes
• Plugins
• Uploads directory
• Includes folder
• wp-config.php file

Hackers typically install backdoors in old and inactive themes to survive updates. Plugins are another common target because people don’t often upgrade them, and some are poorly coded, making them easy hiding spots for backdoors.

Premium Plugins Bundle Unlock all our top WordPress plugins in one easy bundle — Easy to use, no coding required and dedicated support team. Get the Bundle - Instant Access

How to Clean Up a Backdoor for Good

In most cases, backdoors are disguised to resemble legitimate WordPress files. Here are some key places to check:

• wp-includes folder: Look for files like wp-user.php, which do not exist in a normal installation. The legitimate file is user.php.
• Uploads folder: Files named hello.php could be disguised as the Hello Dolly plugin. Other suspicious files might include wp-content.old.tmp, php5.php, or data.php.

Remember, a file doesn’t need to end with .php to contain malicious code; it could even be a .zip file. Hackers often encode backdoors with base64 code to perform various hacking operations, such as redirecting the main page to spammy sites, adding additional pages, and inserting spam links.

The good news is that the current version of WordPress (version 3.4.2) has no known vulnerabilities. Therefore, another way to defeat backdoors is by upgrading to the latest version of WordPress.

Conclusion

Securing your WordPress site from hackers involves more than just fixing the immediate breach. Identifying and eliminating backdoors is crucial to ensuring that your site remains secure in the future. Regular updates and vigilant monitoring can go a long way in protecting your website from unauthorized access.