Has your WordPress website been compromised?
Hackers often install a backdoor to ensure they can regain access even after you secure your site. If you don’t eliminate that backdoor, they can return.
In this article, we will guide you on how to detect and remove a backdoor from your compromised WordPress site.
Signs That Your Website Has Been Compromised
If you operate a WordPress website, prioritizing security is essential. On average, websites face attacks 44 times daily.
Discover best practices for safeguarding your site in our comprehensive WordPress security guide.
But what should you do if your site has already been compromised?
Indicators that your WordPress site may have been hacked include a decline in traffic or performance, the presence of malicious links or unfamiliar files, a defaced homepage, difficulties logging in, suspicious new user accounts, and more.
Restoring a hacked website can be extremely challenging and frustrating. Our beginner’s guide provides a step-by-step process to help you fix your compromised WordPress site. Additionally, ensure you scan your site for any malware left by the attackers.
And remember to secure the backdoor.
Clever hackers anticipate that you will eventually restore your website. Their first move may be to install a backdoor, enabling them to re-enter your WordPress site even after you secure the main access points.
Understanding Backdoors
A backdoor is a piece of malicious code inserted into a website, granting a hacker covert access to the server while bypassing standard login procedures. This allows them to regain entry even after you’ve identified and removed the compromised plugin or vulnerability.
Backdoors represent the next phase of a hacking incident after the initial breach. You can discover how hackers typically infiltrate WordPress sites and how to safeguard against it in our comprehensive guide.
Backdoors can persist through WordPress updates, leaving your site exposed until every backdoor is located and eliminated.
How Backdoors Function
Some backdoors consist of concealed admin usernames, enabling hackers to log in as if they were legitimate users by entering a hidden username and password. Since the username is obscured, you might remain unaware that unauthorized individuals have access to your website.
More sophisticated backdoors allow hackers to execute PHP code directly. They can send this code to your website through their web browser.
Some backdoors come with a complete user interface that enables hackers to send emails as if they were your WordPress hosting server, execute SQL database queries, and perform various other actions.
Hackers often leave multiple backdoor files behind. After uploading one, they may add another to ensure continued access to your site.
Where Are Backdoors Concealed?
In every instance we’ve encountered, the backdoor was camouflaged to resemble a legitimate WordPress file. The code for backdoors on a WordPress site is typically found in the following locations:
- A WordPress theme, although it may not be the one currently active on your site. Code within a theme remains intact during WordPress updates, making it an ideal hiding spot for backdoors. Therefore, we advise removing all inactive themes.
- WordPress plugins also serve as potential hiding spots for backdoors. Similar to themes, they are not affected by WordPress updates, and many users hesitate to upgrade their plugins.
- The uploads folder can contain hundreds or even thousands of media files, making it another suitable location for concealing a backdoor. Bloggers rarely inspect its contents, as they typically upload an image and use it directly in a post.
- The wp-config.phpThis file contains critical configuration details for WordPress and is frequently targeted by hackers.
- The wp-includes directory holds essential PHP files necessary for the proper functioning of WordPress. It is another common location for backdoors, as many website owners overlook its contents.
Examples of Backdoors We Have Discovered
Below are examples of locations where hackers have inserted backdoors. In one instance, we discovered a backdoor located in the wp-includes directory. The file was named wp-user.php, which may seem harmless, but this file is not part of a standard WordPress installation.
In another case, we found a PHP file called hello.php in the uploads directory. It was disguised as the Hello Dolly plugin, which is unusual since it was placed in the uploads folder rather than the plugins folder.
We have also encountered backdoors that do not utilize the .php file extension. One such example was a file named wp-content.old.tmp, and we’ve also identified backdoors in files with a .zip extension.
As demonstrated, hackers can employ highly inventive methods to conceal a backdoor.
Typically, these files are encoded using Base64, allowing them to execute various harmful actions. For instance, they can insert spam links, create unauthorized pages, redirect the main site to malicious sites, and more.
Now, let’s explore how to detect a backdoor in a compromised WordPress site and how to resolve the issue.
Detecting and Resolving a Backdoor in a Compromised WordPress Site
Having understood what a backdoor is and where it may be concealed, the challenging part is locating it! Once found, removing it is as simple as deleting the malicious file or code.
1. Check for Potential Malicious Code
The simplest method to scan your website for backdoors and vulnerabilities is by using a WordPress malware scanner plugin. We recommend Sucuri, which helped us thwart 450,000 WordPress attacks in just three months, including 29,690 related to backdoors.
They provide a free Sucuri security plugin for WordPress that allows you to scan your site for common threats and strengthen your WordPress security. The premium version features a server-side scanner that operates daily, checking for backdoors and other security vulnerabilities.
An excellent alternative to Sucuri is MalCare, which includes an automated malware removal feature that eliminates all malware files, including backdoors, from your website.
Discover how to effectively scan your WordPress site for harmful code in our comprehensive guide.
2. Remove Your Plugins Folder
Manually searching through your plugin folders for suspicious files and code can be tedious and may not guarantee the discovery of a backdoor due to the cunning tactics of hackers.
The most reliable approach is to remove your plugins directory entirely and then reinstall your plugins from the ground up. This ensures that no backdoors remain in your plugins.
You can access your plugins directory using an FTP client or the file manager provided by your WordPress host. If you’re unfamiliar with FTP, check out our guide on how to use FTP to upload files to WordPress.
You will need to use the software to navigate to your website’s wp-content directory. Once there, right-click on the plugins folder and choose ‘Delete’.
3. Remove Your Themes Folder
Similarly, instead of wasting time searching for a backdoor within your theme files, it’s more efficient to delete them entirely.
After you have removed your plugin folder, simply select the themes folder and delete it in the same manner.
While you may not be certain if a backdoor existed in that folder, removing it has eliminated a potential vulnerability and saved you valuable time.
You can now proceed to reinstall any necessary themes.
4. Check the Uploads Folder for PHP Files
Next, examine the uploads folder to ensure there are no PHP files present.
There should be no PHP files in this folder, as it is intended for storing media files like images. Any PHP file found here should be deleted.
Similar to the plugins and themes folders, the uploads folder is located within the wp-content directory. Inside, you will find multiple folders organized by year and month for your uploaded files. Be sure to check each folder for any PHP files.
Some FTP clients provide functionality to search the folder recursively. For instance, in FileZilla, you can right-click the folder and choose ‘Add files to queue’. This will include any files found in subdirectories in the queue displayed at the bottom.
You can now review the list for any files that have a .php extension.
Alternatively, experienced users familiar with SSH can execute the following command:
find uploads -name "*.php" -print
5. Remove the .htaccess File
Hackers may insert redirect codes into your .htaccess file, directing your visitors to a different site.
Using an FTP client or file manager, delete the file from your website’s root directory, and it will be automatically recreated.
If it does not get recreated for any reason, navigate to Settings » Permalinks in your WordPress admin panel. Clicking the ‘Save Changes’ button will generate a new .htaccess file.
6. Review the wp-config.php File
The wp-config.php file is a crucial WordPress file containing the information necessary for WordPress to connect with the database, as well as the security keys for your WordPress installation and developer options.
This file is located in your website’s root folder. You can access its contents by selecting the Open or Edit options in your FTP client.
Carefully examine the contents of the file for anything unusual. It may be useful to compare it with the default version.wp-config-sample.phpThis file is located in the same directory.
Remove any code that you are certain is not part of your original setup.
7. Restore a Backup of Your Website
If you regularly back up your website and still have concerns about its cleanliness, restoring a backup can be an effective solution.
You will need to completely erase your website and then restore a backup taken before the hack occurred. While this may not be feasible for everyone, it ensures your site is entirely secure.
For further details, refer to our beginner’s guide on restoring WordPress from a backup.
How to Safeguard Against Future Hacks?
Now that your website is cleaned up, it’s essential to enhance its security to prevent future hacks. Investing in proper website security is crucial.
1. Regularly Back Up Your Website
If you haven’t been making regular backups of your website, now is the perfect time to start.
WordPress does not include a built-in backup feature, but there are several excellent backup plugins available that can help you automatically back up and restore your WordPress site.
Duplicator is one of the top WordPress backup plugins available. It enables you to set up automatic backup schedules and assists in restoring your WordPress site in case of any issues.
There is also a free version of Duplicator that allows you to create manual backups.
For detailed instructions, refer to our guide on how to back up your WordPress site using Duplicator.
2. Install a Security Plugin
Monitoring every activity on your website can be overwhelming when you’re focused on running your business. That’s why we suggest using a security plugin like Sucuri.
We endorse Sucuri for its effectiveness, and it has been recognized by major publications such as CNN, USA Today, PC World, TechCrunch, and The Next Web. Additionally, we trust it to keep CanadaCreate secure.
3. Enhance WordPress Login Security
It’s crucial to strengthen the security of your WordPress login. A great starting point is to enforce strong password creation for users registering on your site. We also recommend utilizing a password manager like 1Password.
Implementing two-factor authentication is essential for securing your website. This feature safeguards against stolen passwords and brute force attacks. Even if a hacker has your username and password, they will be unable to access your website.
It’s crucial to limit login attempts in WordPress. By restricting users to five failed login attempts, you can significantly decrease the likelihood of a hacker guessing your login credentials.
4. Secure Your WordPress Admin Area
By safeguarding the admin area from unauthorized access, you can prevent many common security vulnerabilities. We offer a comprehensive list of strategies to keep your WordPress admin secure.
One effective method is to password protect the wp-admin directory, adding an extra layer of security to the most critical entry point of your website.
Additionally, you can restrict access to the admin area to specific IP addresses used by your team. This further protects against hackers who may have your username and password.
5. Disable Theme and Plugin Editors
Did you know that WordPress includes a built-in theme and plugin editor? This text editor enables you to modify your theme and plugin files directly from the WordPress dashboard.
While this feature is convenient, it can create potential security vulnerabilities. For instance, if a hacker gains access to your WordPress admin area, they can utilize the built-in editor to access all your WordPress data.
Once they have access, they can spread malware or initiate DDoS attacks using your WordPress site.
To enhance the security of your WordPress site, we suggest completely removing the built-in file editors.
6. Disable PHP Execution in Specific WordPress Directories
By default, PHP scripts can be executed in any directory on your website. You can enhance your site’s security by disabling PHP execution in directories that do not require it.
For instance, WordPress does not need to execute code stored in your uploads directory. By disabling PHP execution for that directory, a hacker will be unable to run a backdoor even if they manage to upload one there.
7. Keep Your Website Updated
Each new version of WordPress offers improved security compared to its predecessors. Whenever a security vulnerability is identified, the core WordPress team promptly works to release an update that addresses the issue.
Failing to update WordPress means you’re using software that has known security flaws. Cybercriminals actively look for websites running outdated versions to exploit these vulnerabilities and gain unauthorized access.
That’s why it’s essential to always use the latest version of WordPress.
In addition to updating WordPress, ensure that your plugins and themes are also kept up to date.
We hope this guide has helped you learn how to identify and remove a backdoor from your compromised WordPress site. You may also want to explore how to migrate WordPress from HTTP to HTTPS, or check our comprehensive list of WordPress errors and their solutions.
If you found this article helpful, please subscribe to our YouTube Channel for WordPress video tutorials. You can also connect with us on Twitter and Facebook.
