How to Find a Backdoor in a Hacked WordPress Site and Fix It

Is it possible that your WordPress site has been hacked into the backdoor?

Hackers frequently install a backdoor to ensure that they can access your website even after you’ve secured it. There’s no stopping them unless you can get rid of that backdoor.

We’ll show you how to discover and fix a backdoor in a hacked WordPress site in this article.

How to Locate and Repair a Backdoor in a Hacked WordPress Site

How to Determine Whether or Not Your Website Has Been Hacked

If you’re running a WordPress site, you need to be concerned about security. This is due to the fact that websites are attacked 44 times every day on average.

Our definitive WordPress security tutorial will teach you how to keep your site safe.

What if, though, your website has already been hacked?

A decrease in website traffic or speed, the addition of harmful links or unfamiliar files, a defaced home page, an inability to log in, suspicious new user accounts, and more are all symptoms that your WordPress site has been hacked.

Cleaning up a compromised website may be excruciatingly painful. should also scan your site for any malware that the hackers may have left behind.

Also, remember to lock the backdoor.

A savvy hacker anticipates you cleaning up your website at some point. The first thing they might do is set up a backdoor so they can get back in after you’ve secured your WordPress website’s front door.

What Is a Backdoor, Exactly?

A backdoor is a piece of code that allows a hacker to gain access to a website’s server while remaining undetected and circumventing the standard login process. It allows a hacker to gain access to your website even after you’ve discovered and fixed the vulnerable plugin or vulnerability.

After the user has gained access, backdoors are the next step in the hacking process.

Backdoors are notorious for surviving WordPress upgrades. That implies your site will stay vulnerable until all backdoors have been discovered and fixed.

How Do Backdoors Work?

Some backdoors are merely admin usernames that have been hidden. They allowed the hacker to log in using a username and password as usual. You have no idea that someone else has access to your website because the username is masked.

Hackers with more complex backdoors may be able to run PHP code. They use their web browser to manually submit the code to your website.

Others feature a full user interface that lets people send emails as your WordPress hosting server, do SQL database queries, and do a lot more.

Some cybercriminals will leave multiple backdoor files. They’ll upload another after that to confirm they have access.

Where Can You Find Backdoors?

Every time we’ve discovered a backdoor, it’s been camouflaged as a WordPress file. Backdoor code is typically kept in the following locations on a WordPress site:

  1. It’s a WordPress theme, but it’s probably not the one you’re using right now. When you update WordPress, the code in a theme isn’t altered, thus it’s an ideal spot to hide a backdoor. As a result, we advise uninstalling all inactive themes.
  2. Another good area to hide a backdoor is in WordPress plugins. They aren’t overwritten by WordPress updates, like themes, and many users are hesitant to upgrade plugins.
  3. The uploads folder may include hundreds or thousands of media assets, making it an ideal location for a backdoor. Bloggers rarely examine its contents because they simply upload an image and then use it in a post.
  4. The wp-config.php file is used to configure WordPress and contains sensitive information. It’s one of the most often targeted files by cybercriminals.
  5. The wp-includes folder contains PHP files that WordPress needs to function properly. Because most website owners don’t check to see what the folder contains, it’s another place where we find backdoors.

We’ve discovered a number of backdoors.

Here are some examples of backdoors that have been uploaded by hackers. The backdoor was found in the wp-includes folder on one of the sites we cleaned up. The file was called wp-user.php, which appears to be harmless enough, but it doesn’t exist in a standard WordPress installation.

In another case, a PHP file named hello.php was discovered in the uploads folder. The Hello Dolly plugin was used to hide it. Strangely, the hacker placed it in the uploads folder rather than the plugins folder.

Backdoors that don’t employ the.php file extension have also been discovered. Backdoors have also been discovered in files with the.zip extensions, such as wp-content.old.tmp.

As you can see, hackers can be rather inventive when it comes to concealing a backdoor.

The files were usually encoded with Base64 code, which can be used to execute a variety of tasks. They can, for example, add spam links, create new sites, redirect the main site to spammy pages, and so on.

With that in mind, let’s look at how to locate and repair a backdoor in a hacked WordPress site.

How to Locate and Repair a Backdoor in a Hacked WordPress Site

You now understand what a backdoor is and where it could be found. Finding it is the difficult part! Cleaning it up after that is as simple as deleting the file or code.

1. Look for code that could be harmful.

A WordPress malware scanner plugin is the simplest approach to search your website for backdoors and vulnerabilities. Securi comes highly recommended because it helped us block 450,000 WordPress attacks in three months, including 29,690 backdoor attacks.

They provide a free WordPress Sucuri Security plugin that allows you to scan your site for common attacks and harden your WordPress security. The premium version includes a server-side scanner that checks for backdoors and other security vulnerabilities once every day.

2. Remove the Plugins folder from your computer.

It takes time to search through your plugin folders for suspicious files and code. There’s no assurance you’ll locate a backdoor because hackers are so cunning.

The best course of action is to erase your plugins directory and then reinstall them from fresh. This is the only way to ensure that your plugins are free of backdoors.

You can use an FTP program or your WordPress host’s file management to get to your plugins directory. If you’ve never used FTP.

To go to your website’s wp-content folder, you’ll need to use the program. After that, right-click on the plugins folder and choose ‘Delete’.

Delete the Plugins folder from your computer.

3. Remove the Themes folder from your computer.

Similarly, rather than wasting time looking for a backdoor in your theme files, it’s easier to just delete them.

After you’ve deleted your plugins folder, go ahead and delete the themes folder as well.

You don’t know if that folder had a backdoor, but if it did, it’s no longer there. You’ve just saved time and eliminated an extra attack point.

You can now reinstall any themes you require.

4. Look for PHP files in the Uploads folder.

After that, go through the uploads folder and check sure there aren’t any PHP files there.

Because it’s created to house media files like images, there’s no purpose for a PHP file to reside in this folder. If a PHP file is discovered, it should be removed.

The uploads folder, like the plugins and themes folders, is located in the wp-content folder. You’ll discover many folders for each year and month you’ve submitted files inside the folder. You’ll need to go through each folder and look for PHP files.

Some FTP clients have tools that will recursively search the folder. If you use FileZilla, for example, you can right-click the folder and choose ‘Add files to queue.’ Any files discovered in the folder’s subdirectories will be added to the queue in the bottom pane.

Make Sure the Uploads Folder Doesn't Have Any PHP Files

You may now search for files with the.php extension by scrolling through the list.

Advanced users who are comfortable with SSH can use the following command instead:

1
find uploads -name "*.php" -print

5. Delete the .htaccess File

Some hackers may insert redirect codes into your.htaccess file, directing visitors to a different website.

Simply delete the file from your website’s root directory using an FTP client or file manager, and it will be regenerated automatically.

Remove the.htaccess file from your website.

If it isn’t recreated for whatever reason, go to Settings » Permalinks in your WordPress admin panel. A new.htaccess file is created when you click the ‘Save Changes’ button.

If necessary, build a new.htaccess file. Take a look at the wp-config.php file.

6. Check the wp-config.php File

The wp-config.php file is a WordPress core file that provides information that allows WordPress to interface with the database, as well as developer options and security keys for your WordPress installation.

The file is located in the root folder of your website. Select the Open or Edit options in your FTP client to see the contents of the file.

In the wp-config.php file, look for anything out of place.

Now you should carefully examine the contents of the file to see if anything appears to be out of place. It could be beneficial to compare the file to the default wp-config-sample.php file in the same folder.

Any code that you’re confident doesn’t belong should be removed.

7. Restore a Backup of a Website

If you’ve been creating frequent backups of your website but still have concerns that it’s not totally clean, restoring a backup is a viable option.

You’ll need to wipe your entire website and then restore a backup that was taken before it was hacked. This isn’t for everyone, but it will give you complete peace of mind that your site is secure.

See our beginner’s guide on restoring WordPress from backup for more information.

How Can Future Hacks Be Prevented?

Now that you’ve cleaned up your website, it’s important to beef up its security in order to avoid future hacks. When it comes to website security, it doesn’t pay to be cheap or apathetic.

1. Back up your website on a regular basis.

Today is the day to start making regular backups of your website if you haven’t already.

WordPress does not have a backup system built in. However, there are several excellent WordPress backup plugins that allow you to backup and restore your WordPress site automatically.

One of the greatest WordPress backup plugins is UpdraftPlus. It enables you to create automatic backup schedules and will assist you in restoring your WordPress site in the event of a disaster.

2. Install a Security Plugin after backing up your website with UpdraftPlus.

When you’re busy running your business, it’s impossible to keep track of everything that happens on your website. As a result, we recommend that you utilize a security plugin such as Sucuri.

Sucuri comes highly recommended since they excel at what they do. CNN, USA Today, PC World, TechCrunch, The Next Web, and other major magazines concur. Furthermore, we rely on it to keep WPBeginner safe.

3. Improve the security of WordPress login

It’s also critical that you improve the security of your WordPress login. When users create accounts on your website, the best place to start is to require them to use secure passwords. We also suggest that you begin utilizing a password manager such as 1Password.

The next step is to implement two-factor authentication. This will safeguard your website from brute force assaults and stolen credentials. This implies that even if a hacker has your username and password, they will be unable to access your website.

Finally, you should keep the number of login attempts in WordPress to a minimum. Users can input passwords as many times as they wish on WordPress. If you lock a user out after five failed login attempts, a hacker will have a much harder time figuring out your login credentials.

4. Keep the WordPress Admin Area Safe

By preventing unauthorized access to the admin area, you can prevent numerous typical security problems. We offer a comprehensive list of suggestions for keeping WordPress admin secure.

You can, for example, make the wp-admin directory password-protected. This adds additional layer of security to your website’s most essential entry point.

You can also restrict access to the admin section to your team’s IP addresses. Another option to keep hackers out if they figure out your username and password is to utilize this method.

5. Turn off the Editors for Themes and Plugins

WordPress has a built-in theme and plugin editor, in case you didn’t know. You may change your theme and plugin files directly from the WordPress dashboard with this plain text editor.

While this is beneficial, it may cause security concerns. If a hacker gains access to your WordPress admin area, for example, they can use the built-in editor to access all of your WordPress data.

They will then be able to use your WordPress website to spread malware or perform DDoS assaults.

We propose fully deleting the built-in file editors to boost WordPress security.

6. Turn off PHP execution in specific WordPress folders

PHP scripts can be launched in any folder on your website by default. You can improve the security of your website by turning off PHP execution in folders that don’t require it.

WordPress, for example, never needs to run code from your uploads folder. If you disable PHP execution for that folder, even if a hacker successfully uploads one, they won’t be able to run it.

7. Ensure that your website is up to date.

Every new WordPress version is more secure than the previous one. When a security vulnerability is discovered, the WordPress core team works quickly to deliver an update that addresses the problem.

This means that if you don’t keep WordPress updated, you’re using software that has known security flaws. Hackers can look for websites that are running an older version and exploit the flaw.

Keep WordPress up to date, but don’t stop there. You must also ensure that your WordPress plugins and themes are up to date.

We hope that this tutorial taught you how to locate and repair a backdoor in a hacked WordPress site.