Time and time again, we have helped users fix their hacked WordPress sites. Most of the time when they reach out to us, they have already cleaned up the site, and the hacker was able to get back in. This happens if you did not clean it up properly, or you did not know what you were looking for. In most cases that we found, there was a backdoor created by the hacker which allowed them to bypass normal authentication. In this article, we will show you how to find a backdoor in a hacked WordPress site and fix it.
What is a Backdoor?
Backdoor is referred to a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected. Most smart hackers always upload the backdoor as the first thing. This allows them to regain access even after you find and remove the exploited plugin. Backdoors often survive the upgrades, so your site is vulnerable until you clean this mess up.
Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.
Where is this Code Hidden?
Backdoors on a WordPress install are most commonly stored in the following locations:
- Themes – Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. So if you have the old Kubrick theme sitting in your themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.
- Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
- Uploads Directory – As a blogger, you never ever check your uploads directory. Why would you? You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.
- wp-config.php – This is also one of the highly targeted files by the hackers. It is also one of the first places most folks are told to look.
- Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.
In all the cases we found, the backdoor was disguised to look like a WordPress file.
For example: in one site we cleaned up, the backdoor was in wp-includes folder, and it was called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. In another instance, we found a php file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. But why the heck is in the uploads folder? D’oh.
It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).
Now you are probably thinking that WordPress is insecure because it allows for backdoors. You are DEAD WRONG. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor. Hint: the TimThumb hack. It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider. See our recommended list of web hosting.
How to Find and Clean the Backdoor?
Now that you know what a backdoor is, and where it can be found. You need to start looking for it. Cleaning it up is as easy as deleting the file or code. However, the difficult part is finding it. You can start with one of the following malware scanner WordPress plugins. Out of those, we recommend Sucuri (yes it is paid).
You can also use the Exploit Scanner, but remember that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code. The best thing you can do is delete your plugins directory, and reinstall your plugins from scratch. Yup, this is the only way you can be sure unless you have a lot of time to spend.
Search the Uploads Directory
One of the scanner plugins will find a rogue file in the uploads folder. But if you are familiar with SSH, then you just need to write the following command:
find uploads -name “*.php” -print
There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, it needs to go.
Delete Inactive Themes
As we mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, I didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.
Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.
Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.
Database Scan for Exploits and SPAM
A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.
If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both takes care of that.
Think you have cleaned it? Think again!
Alright so the hack is gone. Phew. Hold on, don’t just relax yet. Open your browser in an incognito mode to see if the hack comes back. Sometimes, these hackers are smart. They will not show the hack to logged in users. Only logged out users see it. Or better yet, try to change your browser’s useragent as Google. Sometimes, the hackers only want to target the search engines. If all looks great, then you are good to go.
Just FYI: if you want to be 100% sure that there is no hack, then delete your site. And restore it to the point where you know that the hack wasn’t there. This may not be an option for everyone, so you have to live on the edge.
How to Prevent Hacks in the Future?
Our #1 advice would be to keep strong backups (VaultPress or BackupBuddy) and start using a monitoring service. Like we said earlier, you cannot possibly monitor everything that goes on your site when you are doing tons of other things. This is why we use Sucuri. It might sound like that we are promoting them. But we are NOT. Yes, we do get an affiliate commission from everyone who sign up for Sucuri, but that is not the reason why we are recommending it. We only recommend products that we use and are quality. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are also recommending these guys. It is because they are good at what they do.
Few other things you can do:
Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.
2-Step Authentication – If your password got compromised, the user would still need to have the verification code from your phone.
Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
Password Protect WP-Admin – You can password protect the entire directory. You can also limit access by IP.
Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins