Beginner's Guide for WordPress / Start your WordPress Blog in minutes

How to Find a Backdoor in a Hacked WordPress Site and Fix It

Time and time again, we have helped users fix their hacked WordPress sites. Most of the time when they reach out to us, they have already cleaned up the site, and the hacker was able to get back in. This happens if you did not clean it up properly, or you did not know what you were looking for. In most cases that we found, there was a backdoor created by the hacker which allowed them to bypass normal authentication. In this article, we will show you how to find a backdoor in a hacked WordPress site and fix it.

What is a Backdoor?

Backdoor is referred to a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected. Most smart hackers always upload the backdoor as the first thing. This allows them to regain access even after you find and remove the exploited plugin. Backdoors often survive the upgrades, so your site is vulnerable until you clean this mess up.

Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.

Backdoor Screenshot

Where is this Code Hidden?

Backdoors on a WordPress install are most commonly stored in the following locations:

  1. Themes – Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. So if you have the old Kubrick theme sitting in your themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.
  2. Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
  3. Uploads Directory – As a blogger, you never ever check your uploads directory. Why would you? You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.
  4. wp-config.php – This is also one of the highly targeted files by the hackers. It is also one of the first places most folks are told to look.
  5. Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.

In all the cases we found, the backdoor was disguised to look like a WordPress file.

For example: in one site we cleaned up, the backdoor was in wp-includes folder, and it was called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. In another instance, we found a php file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. But why the heck is in the uploads folder? D’oh.

It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).

Now you are probably thinking that WordPress is insecure because it allows for backdoors. You are DEAD WRONG. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor. Hint: the TimThumb hack. It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider. See our recommended list of web hosting.

How to Find and Clean the Backdoor?

Now that you know what a backdoor is, and where it can be found. You need to start looking for it. Cleaning it up is as easy as deleting the file or code. However, the difficult part is finding it. You can start with one of the following malware scanner WordPress plugins. Out of those, we recommend Sucuri (yes it is paid).

You can also use the Exploit Scanner, but remember that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code. The best thing you can do is delete your plugins directory, and reinstall your plugins from scratch. Yup, this is the only way you can be sure unless you have a lot of time to spend.

Search the Uploads Directory

One of the scanner plugins will find a rogue file in the uploads folder. But if you are familiar with SSH, then you just need to write the following command:

find uploads -name "*.php" -print

There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, it needs to go.

Delete Inactive Themes

As we mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, I didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.

.htaccess File

Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.

wp-config.php file

Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.

Database Scan for Exploits and SPAM

A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.

If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both takes care of that.

Think you have cleaned it? Think again!

Alright so the hack is gone. Phew. Hold on, don’t just relax yet. Open your browser in an incognito mode to see if the hack comes back. Sometimes, these hackers are smart. They will not show the hack to logged in users. Only logged out users see it. Or better yet, try to change your browser’s useragent as Google. Sometimes, the hackers only want to target the search engines. If all looks great, then you are good to go.

Just FYI: if you want to be 100% sure that there is no hack, then delete your site. And restore it to the point where you know that the hack wasn’t there. This may not be an option for everyone, so you have to live on the edge.

How to Prevent Hacks in the Future?

Our #1 advice would be to keep strong backups (VaultPress or BackupBuddy) and start using a monitoring service. Like we said earlier, you cannot possibly monitor everything that goes on your site when you are doing tons of other things. This is why we use Sucuri. It might sound like that we are promoting them. But we are NOT. Yes, we do get an affiliate commission from everyone who sign up for Sucuri, but that is not the reason why we are recommending it. We only recommend products that we use and are quality. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are also recommending these guys. It is because they are good at what they do.

Read our article on 5 Reasons Why We Use Sucuri to Improve our WordPress Security

Few other things you can do:

  1. Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.
  2. 2-Step Authentication – If your password got compromised, the user would still need to have the verification code from your phone.
  3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
  4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
  5. Password Protect WP-Admin – You can password protect the entire directory. You can also limit access by IP.
  6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
  7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.

Lastly, don’t be cheap when it comes to security. We always say that the best security measure is great backups. Please please please keep good regular backups of your site. Most hosting companies DO NOT do this for you. Starting using a reliable solution like BackupBuddy or VaultPress. This way if you ever get hacked, you always have a restore point. Also if you can, just get Sucuri and save yourself all the trouble. They will monitor your site, and clean it up if you ever get hacked. It comes out to be like $3 per month per site if you get the 5 site plan.

We hope that this article helped you. Feel free to leave a comment below if you have something to add :)

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit – a collection of WordPress related products and resources that every professional should have!

Reader Interactions

44 CommentsLeave a Reply

  1. Hello Sir in our maximum sites there was malicious codes injected but I Haven’t find these anywhere in database. In my all sites there was automatically malicious pages generated and it will shown on google and these pages were not shown in my wordpress dashboard and in posts sections.
    Please Help me to find codes and get secured from this hacking I have losted many traffic from my WordPress site.
    Please Help Me!

  2. This is really the BEST post there is about “unhacking” your website, I don’t know if it worked completely with my site but I really do hope so.

    Thanks so much guys!!

  3. Hi! I need some opinion. I’ve enabled open registration and set the default role as subscriber. From my understanding, this role can only have read capabilities. Means that they can only read posts on my blog, and comments. Am I right?

    The purpose I’m doing this because I want to allow only registered people to comment. Ironically, I’m using some live traffic logger, which can track requests in to or out of my website. I noticed that the registered user is using anonymous IP from TOR network. They seems registering by accessing the register page directly, not by usual means.

    Therefore, is it usually safe to let them? Does they (subscriber) has the capability to upload something on uploads or any folder on system? Since they can also have limited access to admin dashboard, can view wp version, is it considerably safe?

    I hope someone and wpbeginner staff can respond these. Thanks in advance.

  4. Hi ,
    I found my word press website title changed by some hacker group as they mentioned . So checked my security plugins wordfence , did the scan but nothing found . How can they affecting the page title continue and what should i do for that .

  5. Hi
    Sucuri & WP Clone uses the Uploads folder so what are we suppose to do there?

    Also Exploit Scanner is coming up with loads of files that it doesn’t recognise and the plugin is up to date. Maybe the algorithm is not up to date with the latest version of WordPress so deleted it.

    Sucuri has found no problems but it is the free version, Wordfence have found no errors either so I don’t trust Exploit Scanner at the moment.


  6. Thank you for a very informative and helpful article. I was able to finally understand what happened to my website ( thousands of malicious index.php files).
    I avoided having to pay an extortion price to sitelock to repair my site, by simply installing a (clean) backup.

    And now, I will make sure to install hundreds of antivirus plugins. Had not realised that my webhost bluehost did not include any basic level of security.

  7. Hi,
    I understand this article is quite old now, but I’ll comment and try if I get response.

    My site was recently compromised and after using free Sucuri, I switched to Wordfence. The latter helped me track all my files containing malicious code. No particular reason to not use Sucuri, I was just trying different options.

    What are your views on wordfence vs sucuri? Paid versions.


    • Hi Mehreen,

      They both offer good security. We recommend Sucuri because they offer cloud based website application firewall, which not only protects your website but also improves performance. Wordfence offers an application level firewall which runs on your server. See our article on best WordPress firewall plugins for more details.


  8. Hi
    When i type my website address it will open and after some time he will redirect to other website. and in mobile when i type my website address directly he will redirect to google play store. and google also showing this website may be hacked. how i can solved this problem.

  9. I cannot get in to my WordPress website. I spoke with the server’s tech support and they said the problem is not on their end, and they suspect the site has been compromised by malware. However, I am not able to log in the site to check anything. Any advice?

  10. Hi all,
    my website was hacked and i found many .php files like kebin.php kevin.php with eval and base64 code inside.
    The worst thing is that my site was blacklisted and also the external references to the link are so many!
    I noticed about 5 foreign IP’s that look into that reference files!
    What can i do to cut off these references?
    I have sucuri free version cause my blog is amateur blog and i dont have money to spend.

  11. someone hacking my admin panel again and again. I recovered but still he is hacking my admin-panel. I dnt know how to solve. Please kindly contact me for a solution.

  12. Just got finished cleaning up a client’s website. One of the things that this article doesn’t address is the fact that you may have to go up a level in your server’s folder to find the backdoor. In other words, you could delete everything in your /html file on your server and restart with a fresh reinstall and still have a backdoor in because it is in a different folder on your server one level up….

  13. Dear,

    My website is hacked by someone. Only hack my posts, when i click on post for preview it would not be open, open as blank page.

    Please help me, what is the main problem how i can solve it

    • Try switching to a default WordPress theme like twenty sixteen and deactivate all your WordPress plugins. Try to preview a post, if it opens fine, then your theme or one of the plugins on your website is causing the issue. If the problem persists, then follow the steps described above.


  14. Hi,

    This sounds to be really useful, but I’m struggling (on their website) to find the option you mention:
    “They will monitor your site, and clean it up if you ever get hacked. It comes out to be like $3 per month per site if you get the 5 site plan.”

    Could you point me in the right direction, please – with your affiliate link, of course?

    Or perhaps it’s no longer available, which would be a shame – because that’s affordable, whereas all I’ve found at the moment is about $17 per month which is a bit of an ouch for more than one site :-)

    Thanks for a helpful article, Joy

    • Answering my own question above…. I checked with Sucuri and sadly the 5 site plan referred to in this post no longer exists.

  15. Great article- Sucuri is a fantastic program. It isn’t the cheapest option but they are onto issues within hours and a fix shortly after.

    I’ve found a few exploits on clients website in the public_html/images file lately.

  16. Hey there,

    for guys who are familiar with ssh: what I do if there are hack problems is having backups ready for my complete websites and just compare the complete backup with the current state of the live project.
    Still the corrupt files can be ‘sleeping’ in there for weeks or months, so it’s not 100% safe that one will find all the hack(ed) files, but it’s often a good indicator, where to look. This way I noticed 3 new files in a long time not updated avada(theme) project inside the revolution slider plugin.

    Just my 2 cents :). Have a nice day,

  17. Came across another signature: if(!isset($GLOBALS[“”\x61\156\x75\156\x61″”]

    if you find the above statement, remove from the “if” right till the end of the line and that will fix that one file. I found this in almost every file though so you are going to have to use a global find and replace program. I use FNR.EXE but there are others. This one will also infect multiple websites in the same tree.

  18. Anyone noticed recent attack before a weak on major servers. I am using Hostgator hosting services. My sites were down for a day. One of my friend is using Bluehost and his sites were down for 4-5 days.

    I couldn’t find news about this on Google.
    Did anyone notice?

  19. Great Post, still relevant. I got malware the other day and downloaded my site to my computer. I sorted the files by “last modified” which showed me the pages that had been compromised.

    I compared these files with backup files and was able to track down the malware!

  20. Nice post, I recently run exploit scanner and it found many malicious or suspecious codes in my site like eval and base64_decode. What should I do in this case do I need to setup my whole database from starting. I can do this because my site is not full of content.
    But I am not very familiar with php, so help me.

    • Exploit scanner lets you know where it found the malicious code. If it is in a theme or plugin file, then you can simply delete those theme and plugin files. After that you can download and upload fresh copies of those files to your site. If it is in database and you can start fresh then do that. Other wise there are ways to clean the code from database too.


  21. Very nice article many thanks! I have used Exploit Scanner and currently im having BPS Security

  22. Nice article. I’ve found on infected WP sites they consistently seem to put a file named https.php in the wp-includes folder. I also found on my shared hosting server they will hop from one infected account to find other world readable wp-config.php files in other WP installs and will use the database information there to create admin accounts on other WP installs. Thus I’d add that any one whose been hacked should change their database credentials and also lock down wp-config.php as much as possible, ideally limiting it so only the webserver user (and the owner) can access it.

    I’ve been using wordfence to clean infected sites and have been very happy with is, though I recently found it’s no longer noticing the /wo-includes/https.php file I mentioned earlier. I’ve contacted them about this since i know in the past it did notice these

  23. Very helpfull and informative article.

    one of my client website/blog was infected with malware was ‘reported attached page’ by google. first I tried sucuri sitecheck tool to identify the infected files/badware but they only show this result of scan

    web site:
    status: Site blacklisted, malware not identified
    web trust: Site blacklisted.

    This do not any help, as we already know the site is black list and then I scan all the data on domain and found following two files infected


    I am posting this for other people to look for these files, if their website is infected and reported as attack page.

    qammar feroz

    • The free Sucuri scanner doesn’t do server side scanning. If you actually pay for Sucuri, not only it protects you, but they will do the cleanup for you if anything happens.


  24. Thanks for the excellent article! I have passed it along to my web development students through Facebook!

    Also, one of my student’s site was hacked and shut down by the web host for the second time. It looks like he had being doing his database backups. So, it looks like we will have to copy and paste his posts directly into the Dashboard from the database dump. What fun!

    • Sorry for the incomplete information – he had NOT been doing database backups. So, we will have to dump the database and copy and paste into the new install.

  25. You don’t have to pay securi anyting to scan your site. You can scan as many sites as you want for free. That scan will tell you where the hacks are.

    • Not quite correct. Yes, they have a free scanner, but it only checks if the hacks have a front-end impact. For example, it will say that you have malware injections in your front-end, but it will NOT tell you where the backdoor is hiding and such. There are times that you might clean up the hacks results, but the backdoor still stays even after the cleanup. Then when it comes back, you are left to wonder why.


    • thanks i am already using the plugin, eliminated many plugins because of it. real time scans are great and so is its firewall :)

  26. this was EXACTLY what I needed!! I’ve been trying to figure out how a hacker kept getting into one of the sites I maintain… it was just this one site, none of my other sites were being hacked. I found it with your help. It was hiding in a Pinterest plugin.
    thanx again

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.