Backdoors in WordPress are hidden scripts or files planted by hackers to gain unauthorized access to a website. These backdoors are often used to regain entry even after the initial security breach has been cleaned up. Therefore, identifying and removing backdoors is crucial to secure your website from recurring threats. This article will guide you on how to search for backdoors in your WordPress site.
Note: Always back up your site before making any changes. This guide assumes familiarity with WordPress file structure, FTP clients, and basic PHP.
If you would like help with your own hack recovery and hardening needs, please contact us using the form below.
Understanding Backdoors
Backdoors often reside in compromised PHP files. They can be inserted into core WordPress files, theme files, plugin files, or uploads directories. Backdoor scripts are usually obfuscated (i.e., hidden through complex coding) to evade detection.
1. Scan Your Website with a Security Plugin
The first line of defense in finding a backdoor is using a WordPress security plugin like Wordfence, Sucuri, or iThemes Security. These plugins can scan your WordPress installation for known malware patterns and suspicious code.
However, advanced backdoors may evade these security plugins, so manual investigation is often necessary.
2. Manual Inspection of Files
2.1 Inspecting the Core Files
Start by downloading a fresh WordPress installation of the same version your website is using. You can use software like Meld (for Linux), WinMerge (for Windows), or FileMerge (for MacOS) to compare your site’s WordPress core files with the clean ones. Differences may reveal potential backdoor scripts.
2.2 Inspecting wp-config.php
This file contains sensitive information about your database and is often targeted by hackers. Ensure that it contains only what’s needed and doesn’t include any suspicious or unfamiliar code.
2.3 Inspecting Theme and Plugin Files
Any changes to your theme and plugin files can be a potential backdoor. It’s good practice to compare these files with the original ones provided by the developers.
2.4 Inspecting the Uploads Directory
The uploads directory (wp-content/uploads) should only contain media files. If you find PHP files or other non-media files, they could be potential backdoors.
3. Look for Recently Modified Files
Using an FTP client, search for recently modified files. While legitimate activities can modify files, finding a recently modified file in an unusual place can be a red flag.
4. Detect Obfuscated Code
Look for functions like base64_decode, eval, gzinflate, preg_replace with ‘/e/’, str_rot13, get_defined_vars, and extract. While these functions have legitimate uses, hackers often use them to obfuscate malicious code. You must search across your entire file set & database and inspect any uses that do not seem legitimate.
5. Searching the Database for Exploits
Backdoors can also be found in your WordPress database. Scan through posts and theme options in the database for suspicious content like iframes, encoded PHP functions, and JavaScript redirects. Be careful while making changes in the database; a small mistake can break your site.
6. Utilize Online Scanning Tools
Online tools like Sucuri SiteCheck, VirusTotal, or Google’s Safe Browsing can help detect backdoors, malware, or blacklisting status.
7. Regularly Review User Accounts
Make sure all user accounts, especially ones with administrator privileges, are legitimate. Hackers might create new user accounts to gain access.
8. Monitor Server Logs
Access logs can provide information on any unauthorized access attempts or unusual activities. Look for repeated requests from the same IP address or requests for files that shouldn’t be accessed directly.
Finding and removing backdoors is just one part of website recovery. You should also focus on preventing future hacks by keeping WordPress, themes, and plugins updated, using strong unique passwords, implementing two-factor authentication, limiting login attempts, changing your WordPress salts and keys, and utilizing a reliable security plugin.
Remember: Cleaning a hacked WordPress site is a complex task. If you’re not comfortable doing it yourself, consider hiring a professional WordPress hack recovery service.
If you suspect that your website has been hacked, act quickly. The faster you respond, the better your chances of limiting the damage.
