Backdoors on a WordPress website, or anything that has to do with code, can have terrifying results. Years of work, proprietary code, business, even your entire life’s work and/or reputation can be ruined in a matter of seconds. While this isn’t automatic and requires an individual to use the gathered information for nefarious purposes, it’s still scary. Even worse, you’re living your life completely oblivious of its existence. With all that in mind, we decided to analyze how to find and fix a backdoor in WordPress. Let’s begin.
What is a backdoor on a website?
A backdoor is a piece of code a malicious individual uploaded to your website following a successful breach. It’s a safety measure that lets them regain access to your website at a moment’s notice even after you eliminated the harmful code, application, or exploit. It may also be designed to perform malevolent actions when found, making it even more dangerous. Some examples include redirecting some or all your links to a website of hackers’ choice, creating a hidden admin account, or making a copy of harmful files at a certain location. As you can see, this code is designed to persist through WordPress updates and changes to your structure.
How can I locate a backdoor?
In the greater scope of things, the source of the backdoor isn’t important, so long you remove it promptly and ban it from coming back. However, knowing the root cause is essential for narrowing down the places to look. What’s more, malicious individuals often create a failsafe or leave a red herring. The latter is mainly a useless backdoor placed as a decoy, while they buried the real thing deeper within. They likely added more than two, too. Moreover, hackers can make it so a new backdoor file is uploaded after a delay to trick you into feeling safe.
1. Find and fix a backdoor in plugins and themes for WordPress
Right off the bat, we need your honesty. Have you used premium versions of plugins and themes without paying? Though we condemn piracy itself, the bigger problem is the issues of nulled themes and plugins. You’re asking for trouble, if so. Further, installing free experimental plugins and themes from users with poor or no reputation is an unnecessary risk. Updating WordPress overwrites custom changes unless you created a child theme, but it doesn’t affect the base theme. Likewise, updating plugins may bring improvements but can leave the backdoor unaffected. Because you’d need to be a WordPress developer and spend hours analyzing code, we propose you pick one of two solutions:
Remove suspicious themes and plugins from your website
If you merely suspect you’re a victim of hacking or want to prevent attempts, pick this moderate approach. Access your website via FTP, head to the
wp-content folder, and open
themes folders. Erase any folders with names of themes and plugins you no longer use or never used. Hackers understand people are inexperienced, forgetful, or careless, and often hide backdoors in seemingly broken plugins or inactive themes. Most users forget to update or remove these, making them prime candidates.
Delete all plugins and themes installed on WordPress
This is a radical approach you should use when you know your website is hacked. Unless access to FTP is blocked, do the same as above. If it is, contact your web hosting provider hastily. Head over to
wp-content again, but this time, delete
plugins folders. We understand this may be a major setback, but safety should be your major concern. Plus, you can always reinstall reputable ones from the WordPress repository or your backup.
2. Restore WordPress website from a backup
Speaking of backups, if you stayed on top of security, you should have several recent versions of your website. If you can pinpoint the time you noticed inconsistencies, you may restore your website to how it looked and worked before the presumed backdoor was added. Double-check a backup exists, because you must wipe your entire website first.
3. Compare the default WordPress file structure to yours
Hackers oftentimes decide to hide their backdoor in a seemingly innocent file titled in line with others. Because we can’t know what that name is, we advise you use a fresh installation of WordPress (ideally, the same version, too) for comparison. That way, any extra files hackers might have added will stand out. For instance, they could have added PHP files such as
wp-user.php. Alternatively, they might have given it a name of a popular plugin or theme, such as
akismet.php. They count on the fact users are afraid to manage WordPress files. These look legitimate, although they shouldn’t exist.
Others decide to pick folders users rarely check. A prime example is a
uploads folder inside
wp-content. They can bury a backdoor among hundreds of files you’ve uploaded or disguise it as a version of a familiar file. Besides using a trusted name, they may avoid the PHP file extension altogether. Archives (
.zip, for example) and unknown extensions such as
.old (as in, outdated/temporary file) are nifty ways to camouflage a backdoor.
4. Analyze key WordPress files to fix a backdoor after you find it
To deceive website owners, hackers may hide a backdoor inside files necessary for the functionality of WordPress, making it hard to find and fix. Those that let users make custom changes are excellent representatives. It’s hard to remember which code you added, plus they may break up the backdoor code into chunks and spread it in multiple places or files. Here are several files you should check immediately:
root/includes— This folder contains lots of PHP scrips required for default functionality and custom additions alike. Ergo, hiding code in familiar scripts or a separate file is a common occurrence.
wp-config.php— Perhaps the most often edited file, crucial for configuring your website, is another common candidate.
.htaccess— A configuration file that permits adding settings to specific directories on web servers is another typical victim of backdoor access.
wp-themes/theme-name/functions.php— Though file users typically check, many hackers hope inexperienced website owners will miss a harmful function among beneficial ones.
5. Use security tools or WordPress plugins
A superb choice for this purpose is a security plugin for WordPress. Though many require a subscription, free versions are oftentimes capable of running an in-depth scan. You must know how to install WordPress plugins first. If you merely suspect a backdoor exists, a better choice might be a web-based tool. A notable example, though we aren’t affiliated, is Sucuri SiteCheck website security scanner.