Finding Backdoor in a Hacked WordPress Website

Home / Finding Backdoor in a Hacked WordPress Website

Finding Backdoor in a Hacked WordPress Website

December 11, 2015 | Article | No Comments

Every website is vulnerable to malware, trojan, and also viruses until it is safeguarded using the various technologies available. WordPress is no exception. Malicious code can be embedded inside pre-existing file or create a new file and put them on our server to get their ulterior motive fulfilled.

The reasons for such security issues can be many, ranging from a flawed plugin to an outdated version of WordPress. If WordPress is our CMS (Content Management System), then ensuring good health and safe from malicious hackers is our job.

In this article, we will discuss about how to detect whether there is a backdoor in our server. The term spoken here is as generic as possible so we won’t cover specific WordPress version.

Backdoor Definition

A backdoor is program or script or any executable file, which is used to bypass normal authentication and gaining the ability to remotely access the server while remaining undetected. This backdoor allows hackers to regain access even after we find and remove the exploited plugin. Backdoors often survive the upgrades, so our site is vulnerable until we clean this mess.

Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.

In all the cases, the backdoor was disguised to look like a legitimate WordPress file.

The Locations

Where is backdoor hidden?

The easiest way to locate a backdoor infection is to look for files in WordPress installation that should not really be there: the ones named php3.php or crucial-wp.php! However, sometimes backdoors may conceal themselves within an otherwise legitimate file. You can figure out by taking a look at your files, though often, encrypted/encoded backdoors are not the easiest to detect.

Mostly, backdoor are stored in the following location, so they are potential for checking:

  1. Themes – Most likely it is not in the current theme. Hackers want the code to survive core updates. So if we have the old theme sitting in themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.
  2. Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades. Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
  3. Uploads Directory – For some bloggers, they never ever check uploads directory (are you one of them?). You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.
  4. wp-config.php – This is also one of the highly targeted files by the hackers. It is also one of the first places most folks are told to look.
  5. Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.

In all the cases we found, the backdoor was disguised to look like a WordPress file.

For example: in one site we cleaned up, the backdoor was in wp-includes folder, and it was called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. In another instance, we found a php file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. But why the heck is in the uploads folder?

It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).

Now you are probably thinking that WordPress is insecure because it allows for backdoors. You are DEAD WRONG. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor. It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider.

Find and Clean Backdoor

If you suspect there is a backdoor in your WordPress, then it’s time to find and clean it (if found). Cleaning is as easy as deleting the file or code. However the difficult part is finding it.

Using plugins

There are lot of WordPress plugin for malware scanner can be used for this purpose: Theme Authenticity Checker (TAC), Exploit Scanner, Sucuri.

Theme Authenticity Checker is a free plugin that scans all of your WordPress theme files for potentially malicious or unwanted code. Often hackers target themes to inject links, so this plugin is a good way of checking for that.

Exploit Scanner is another free WordPress plugin that is much more robust than the Theme Authenticity Checker because it search all files and database of your WordPress install. It checks for signs that may indicate if your installation has fallen victim to malicious hackers.

But remember, base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. You have to know what you are doing to see if the error is really malicious or if it is ok. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code.

Sucuri is by far the BEST WordPress security scanner out there. They have a very basic free site scanner, which checks your site to see if your site is doing ok. But the real value is in their paid version. In short, once you install Sucuri, it automatically monitors your website 24×7 against all threats. It audits all the activities that happen on your site to keep track of where things went wrong. If something looks fishy, Sucuri blocks the IP. They also send you alerts if they notice something going on with your site. Last but not least, they offer a malware cleanup service which is included in the price of their service (no matter how big or small your site is).

Also, this service is not just for beginners. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are recommending these guys.

Search the Uploads Directory

One of the scanner plugins will find a rogue file in the uploads folder. We can, actually, do it manually. If you are familiar with SSH, we can do some commands to search it. Assuming our server is UNIX (and its derivation):

find uploads -name "*.php" -print

There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, it needs to go.

Delete Inactive Themes

As mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, we didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.

.htaccess File

Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.

wp-config.php File

Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.

Database Scan for Exploits and SPAM

A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.

If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both takes care of that.


Prevention or removal of backdoors is easier than detection. You can minimize the chances of backdoor attacks by limiting access to your website’s core files. Keep strong backups and start using a monitoring services.

Here are the recommended things to do:

  1. Use strong password – Force strong passwords on your users. Start using a password managing utility like 1Password.
  2. 2-Step authentication– If your password got compromised, the user would still need to have the verification code from your phone.
  3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
  4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
  5. Password Protect WP-Admin – You can password protect the entire directory.
  6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
  7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.


About Author

about author


A man who is obsessed to low level technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Share Buttons and Icons powered by Ultimatelysocial