How to Find and Remove Backdoors in Hacked WordPress Sites (2023 Guide)

If you suspect your WordPress site has been hacked, one of the most important steps to a full recovery is finding and removing any backdoors. Backdoors are sneaky access points that allow hackers to re-enter your site even after you‘ve kicked them out.

Navi.

In this in-depth guide, I‘ll take you through the exact process I use to find and eliminate backdoors in compromised WordPress sites. You‘ll learn the common hiding places for backdoors, step-by-step instructions to root them out, and tips to lock your site down against future attacks.

Why Backdoors Are So Dangerous (And Common)

WordPress now powers over 43% of all websites, making it a huge target for hackers. Over 4.3 billion WordPress hack attempts were recorded in 2020 alone!

A backdoor is one of the most powerful tools in a hacker‘s arsenal. It lets them quietly maintain access to a site for weeks or months to:

  • Steal sensitive data
  • Distribute malware
  • Send spam emails
  • Launch DDoS attacks
  • Deface pages
  • Mine cryptocurrency
  • Sell backdoor access to other criminals

Backdoors are deliberately hard to find, often lurking in files that look innocent to a casual observer. Hackers frequently use tricks like:

  • Hiding admin accounts with innocent-sounding usernames
  • Appending backdoor code to legitimate theme/plugin files
  • Disguising backdoors as core WordPress files like wp-feed.php
  • Encoding backdoor code to avoid text searches

According to Wordfence‘s 2022 WordPress Threat Report, backdoors were found in over 11% of all hacked sites. They‘re one of the most common indicators of compromise.

Where to Look for WordPress Backdoors

Backdoors can hide almost anywhere in a WordPress installation, but some locations are more common than others. Based on my experience cleaning hundreds of hacked sites, here are the top places I always check:

Plugins and Themes

Plugins and themes are the #1 source of WordPress vulnerabilities. If a hacker exploited a plugin to breach your site, they very likely added a backdoor there too.

Some telltale signs of a backdoored plugin or theme:

  • Unexpected admin accounts named after the plugin/theme
  • Brand new files with recent timestamps among old files
  • Changes to the plugin/theme header info in style.css, readme.txt, etc.
  • Large base64-encoded blobs or obfuscated code

Uploads Directory

By default, any PHP files inside the /wp-content/uploads/ directory can execute. This makes it a perfect hiding spot for backdoor scripts.

Always check this directory and its year/month subfolders for suspicious PHP files (e.g. with recent timestamps, random-looking names, encoded content). Examine any non-media files carefully.

Wp-Config.php

The wp-config.php file contains your WordPress site‘s most sensitive information like database credentials and secret keys. It‘s a prime target for adding backdoors.

Look for these red flags in wp-config.php:

  • Extra code before the opening <?php tag or after the closing ?> tag
  • Unfamiliar require(), include(), eval() or create_function() calls
  • Junk characters in commented-out lines used to hide code
  • Strange define() statements that enable debugging or caching

.Htaccess File

The .htaccess file controls how web servers like Apache and Nginx handle requests to your site. Hackers can manipulate .htaccess to:

  • Make hidden backdoor files publicly accessible
  • Redirect visitors to malware/phishing sites
  • Load backdoor code into every page

Carefully inspect your .htaccess file for suspicious directives like RewriteRule, Redirect, and FilesMatch. Delete the file and let WordPress rebuild it if you‘re unsure.

Wp-admin, Wp-Includes, and Root Folders

Most backdoors are designed to blend in with normal WordPress files to avoid detection. So don‘t ignore the wp-admin, wp-includes, and WordPress root folders!

Some common disguises I‘ve seen:

  • wp-fields.php, wp-backup.php, wp-blog.php
  • class-seo.php, class-pop3.php, admin-ajax.php
  • setup.php, db-cache.php, 404.php

Use your (S)FTP client‘s search function to look for keywords like "eval", "base64", "edoced46esab", and "create_function".

How to Find and Remove Backdoors: Step by Step

Now that you know the common backdoor hiding places, let‘s walk through the full removal process:

Step 1: Scan for Malware

Start by scanning your WordPress files for signs of compromise. There are a few ways to do this:

  • Plugin scanners: Security plugins like Wordfence and Sucuri MalCare have built-in malware/backdoor scanners. They compare your files against a database of known malware signatures.

  • Online scanners: Remote scanners at Sucuri SiteCheck or VirusTotal can detect backdoors without needing access to your server. Just enter your site URL.

  • File integrity monitoring: If you‘ve previously used a security plugin like Sucuri to create a baseline of your WordPress files, you can schedule regular file integrity scans to detect changes. Any new or modified files trigger an alert.

  • Manual code checks: Search your wp-content and WordPress root folders for keywords commonly found in backdoors (eval, base64_decode, etc). Use SFTP or shell commands like:

grep -rnw ‘/path/to/wordpress/‘ -e ‘eval‘ -e ‘base64_decode‘

Step 2: Reset Plugins and Themes

If your malware scans find a backdoor in a plugin or theme file, the safest option is to delete that extension entirely and reinstall a clean version.

In fact, I recommend starting with a clean slate by deleting all your plugins and themes. Use your (S)FTP client or hosting control panel to remove the wp-content/plugins/ and wp-content/themes/ folders.

Now manually reinstall your active theme and plugins from trusted sources like the official WordPress repository or the developer‘s website. This ensures you have the latest patched versions with no lingering backdoors.

Yes, it‘s tedious to reconfigure plugin settings – but a lot less painful than getting hacked again!

Step 3: Check the Uploads Folder

Use your (S)FTP client to look inside wp-content/uploads/ and its year/month subfolders. Search for files with extensions like .php, .php5, .phtml, .js, .cgi, etc.

Unless you consciously uploaded a PHP script there, any executable files in the uploads folder are very likely backdoors or other malware. Delete them right away!

Here‘s a quick way to find all PHP files in uploads via SSH:

find /path/to/wp-content/uploads/ -name "*.php"

Step 4: Examine Wp-config.php

Carefully go through your wp-config.php file line by line. Look for any suspicious code like:

  • Unfamiliar define() statements enabling debug mode or caching
  • require(), include() or other calls to load external PHP files
  • Code like eval() or create_function() with obfuscated arguments
  • Extra code before the opening <?php tag or after the closing ?> tag
  • Strange comments with junk characters meant to hide backdoor code

If you find anything dubious, compare that line against the default wp-config.php file to make sure it‘s genuine.

When in doubt, replace your wp-config.php with a fresh copy from a default WordPress install. Just remember to copy over your database credentials, keys/salts, and any custom configuration.

Step 5: Inspect .htaccess

Open your .htaccess file and look for suspicious directives like:

  • RedirectMatch or RewriteRule sending visitors to unfamiliar sites
  • Lines starting with php_value to change PHP configuration
  • or blocks allowing public access to wp-*, php*.ini, etc.

You can use the htaccess tester tool to decode complex rules and understand what they really do.

If you‘re unsure about any rules, it‘s best to delete the whole .htaccess file. Don‘t worry – WordPress will automatically recreate a default version when you refresh your permalinks.

Visit Settings → Permalinks and click "Save Changes" to generate a clean .htaccess.

Step 6: Scan Core Files

Finally, check your WordPress core files in wp-admin, wp-includes, and the site root. Focus on PHP files with names similar to normal WordPress files.

Some sneaky backdoor names I‘ve found in the wild:

Fake NameReal Name
wp-edit.php(none)
wp-options.php(none)
class-smtp.phpclass-phpmailer.php
rss-functions.phprss-functions.php
user-metaboxes.php(none)
wp-feed.php(none)

Look inside suspected backdoor files for obfuscated code, base64 strings, or other signs of compromise. Delete any confirmed backdoors!

When in Doubt, Restore From Backup

If at any point you‘re not sure whether a file is malicious or legitimate, don‘t be afraid to restore that file (or your entire site) from a trusted backup.

Rolling back to a known-good state before the hack is the single most reliable way to eliminate backdoors and other malware. Just make sure to manually migrate over any critical changes made after the backup, like new posts or comments.

Follow our step-by-step guide to restore WordPress from backup for detailed instructions.

WordPress Security Best Practices to Prevent Future Backdoors

Cleaning up after a WordPress hack is a huge headache. Save yourself the trouble by implementing these basic security best practices:

  1. Keep everything updated: Set WordPress, plugins and themes to auto-update for the latest security patches. Consider a WP maintenance service if you manage multiple sites.

  2. Lock down wp-admin and login: Require strong passwords, limit login attempts, enforce 2FA, and restrict admin access to trusted IPs only. Use a security plugin to automate this.

  3. Harden wp-config.php and .htaccess: Move wp-config.php up a level from web root, disable file editing, and prevent PHP execution in untrusted folders. See our WordPress security checklist for code snippets.

  4. Enable SSL/HTTPS: An SSL certificate encrypts login and admin traffic so hackers can‘t steal passwords or hijack sessions. Get a free SSL from LetsEncrypt.

  5. Choose secure WP hosting: A good managed WordPress host will protect your site at the server level with strong firewalls, malware scanning, and brute force protection. We recommend SiteGround and WP Engine.

  6. Use a Web Application Firewall: Route your site traffic through a WAF service like Cloudflare or Sucuri to filter out malicious requests, bad bots, and common WP exploits before they reach your server.

  7. Audit user accounts: Delete any inactive or suspicious users, and downgrade privileges from admin to editor/author where possible. Give each user their own login (no sharing!) and enforce logout after X days.

  8. Scan and monitor regularly: Schedule automated core/plugin/theme integrity scans with a security service like Sucuri. Setup uptime and malware monitoring so you get alerted about issues ASAP.

Wrapping Up

Backdoors are frustrating, but they‘re a solvable problem once you know where to look. If a hacker manages to sneak a backdoor past you the first time, these tips will help you find and eliminate it for good.

The key is to be thorough: check all the nooks and crannies of your WordPress site, not just the obvious places. When in doubt, save yourself the headache and restore from a pre-hack backup.

Better yet, harden your WordPress security posture with strong passwords, least-privilege user roles, regular updates, WAF filtering, malware scanning, and activity monitoring. A little prevention goes a long way.

Remember, no website is 100% hack-proof – but implementing WordPress security best practices will greatly reduce your risk and make backdoor cleanup much faster if you do get compromised. Stay safe out there!

Did you like this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

How to Export a WordPress Site (Beginner‘s Guide)
How to Highlight a Menu Item in WordPress: The Ultimate Guide (2023)
How to Make a Small Business Website - Step by Step (2024)
How to Properly Ask for WordPress Support and Get It
Seeing the 401 Unauthorized Error in WordPress? Here Are 7 Proven Solutions
The Hassle-Free Way to Host Fonts Locally in WordPress (2023 Guide)
The Complete Guide to Google Analytics Event Tracking for WordPress in 2023
The Musician‘s Guide to Selling Music Downloads on WordPress (2024)