As a webmaster with over 15 years of experience securing WordPress sites, I‘ve seen firsthand the damage backdoors can cause. Recent reports show over 30% of hacked sites contain backdoors enabling repeat intrusions. Removing these backdoors is crucial, but the process takes know-how.
In this comprehensive guide, I‘ll share my proven techniques to detect and eliminate backdoors from your hacked WordPress site.
Contents
Size of the Problem: Just How Common are Backdoors?
Backdoors are extremely prevalent in compromised WordPress sites. Consider these statistics:
- 78% of hacked sites surveyed contained backdoor scripts allowing persistent access (Sucuri)
- The Wordfence firewall blocks over 2 million backdoor access attempts per month
- Backdoor scans by SiteLock detect over 9,000 new backdoors daily across websites
Based on what I‘ve seen cleaning up hundreds of hacked sites, these numbers align with reality. You can safely assume your compromised site has backdoors until proven otherwise.
An Expert Look: Types of Backdoors Encountered
In my experience, hackers use several common strategies to install backdoors:
-
Modifying existing plugins/themes: Hackers will insert backdoor code into inactive plugins, older themes or unused files that survive updates.
-
Uploading disguised scripts: PHP scripts masked as image files or given cryptic filenames can fly under the radar in uploads folders.
-
Editing core files: wp-config.php and wp-includes files may be tweaked to allow remote command execution.
-
Adding hidden users: New admin users with difficult to guess usernames allows access even after credentials change.
Here are real examples of backdoors I‘ve uncovered:
A PHP backdoor hidden in the uploads folder
Obfuscated admin user added to a compromised plugin
Knowing the common backdoor forms like this allows you to fingerprint and remove them. Now let‘s get into the removal process…
Step-by-Step Guide to Finding and Fixing Backdoors
Finding hidden backdoors takes diligence and rigorous checking. From my experience, here is the full process to inspect and sanitize a hacked WordPress site:
Scan Using a Malware Tool
A starting point before digging in is to use a malware scanner like Sucuri SiteCheck. This will detect obvious infections.
Run a complete scan and have the tool cleanup anything suspicious automatically. This deals with surface-level issues but won’t catch more subtle backdoors.
Reinstall All Plugins and Themes
One of the most effective tactics I‘ve found is to just reinstall all plugins and themes completely.
This wipes any modified files back to their original state. Follow these steps:
- Use FTP to delete the
/wp-content/plugins/folder - Go to Plugins > Add New in the dashboard to reinstall your plugins fresh.
- Repeat the process with the
/wp-content/themes/folder to reinstall themes.
This scorched earth approach ensures any backdoors hiding in inactive plugins or themes are eliminated.
Methodically Check File System
Even after reinstalling all plugins and themes, there may still be sneaky backdoors lurking in your file system:
- Uploads Folder: Check this folder for rogue PHP scripts, suspicious .zip files or unfamiliar filenames. Delete anything that looks odd.
- wp-config.php: Verify no code was added to this core file by comparing against a default version.
- wp-includes: Scan all files in this folder for unauthorized edits or unfamiliar code.
I recommend using a tool like WinSCP to carefully go through the file system since backdoors can hide almost anywhere.
Take your time here and dig into everything methodically. Don‘t overlook anything.
Review Server Access Logs
Your hosting provider‘s server access logs will show all requests to scripts on your site.
Examine the logs for any unusual IP addresses, repeated hits to unfamiliar scripts, or requests for pages that don‘t exist:
123.123.123.123 - - [12/Sep/2022:08:24:55 +0000] "POST /crypticscript.php HTTP/1.1" 200 4102This reveals backdoors in action, giving you files to investigate further.
I suggest installing a log monitoring tool like Logwatch to automatically surface suspicious entries.
Fully Restore From a Backup
If you still suspect backdoor presence after extensive checking, restoring your site from a backup is the ultimate solution.
- But your backup must pre-date the hack, otherwise you‘re just reinfecting yourself!
This should be a last resort, but is an option if you need total confidence in eradicating backdoors.
Locking the Front Door: 7 Tips to Secure WordPress
After eliminating any backdoors, priority #1 is hardening your site against future attacks. Based on decades of collective experience auditing and securing WordPress sites, I recommend:
- Install a security plugin – Wordfence provides real-time blocking of known backdoor techniques
- Strong passwords everywhere – Mandate 20+ character passwords for all users with a manager like 1Password
- Two-factor authentication – Adds an extra credential layer so passwords alone don‘t suffice
- Limit login attempts – Lockout after 5 failed attempts thwarts password brute forcing
- Disable file editors – Turn off theme and plugin editors to prevent direct code injection
- Update rigorously – Automate updates of WordPress, themes and plugins to prevent vulnerability exploits
- Back up constantly – Rapid recovery needs a recent, clean backup snapshot you can revert to
Following the proactive security practices above puts your site into lockdown mode. Don‘t give backdoors an opening to re-emerge!
Take Away: Stay Vigilant Against Backdoor Threats
I hope this guide has equipped you to thoroughly inspect your site and take the proper steps to evict any lingering backdoors left by hackers.
Staying vigilant day-to-day and enacting preventative measures will minimize your risk. But if an incursion happens, you now have proven techniques to detect and neutralize backdoors.
As a closing note, don‘t hesitate to enlist a professional for help if you are overwhelmed. With the right tools and know-how, eliminating backdoors is very achievable. Just stay persistent!
