Hackers are constantly seeking ways to leave the backdoor on your WordPress website. They embed malicious code in a file to get unauthorized and persistent access to your system. This breach opens the door for corrupted plugins to be added to your system.
These backdoors can stay on your hacked website for longer without you knowing. The only way to protect your hacked website is to find backdoor and fix it.
In this post, we’ll discuss the way to find WordPress backdoors and eliminate them to protect your site.
Let’s first check how will you know that your site is attacked-
What are the early signs of a malware attack?
So, how will you identify that your site is under attack? There are some signs that will indicate that your site is hacked.
If you notice-
- A sudden drop in traffic
- Unknown links and files
- Changed home page
- Unable to log in to your site
- Suspicious new user account
Hackers hide the backdoor files in different parts of the website such as themes, plugins, uploads, wp-config.php and wp-includes. But the challenging part is to find the backdoor. Once they are found, cleaning them will be easy by simply deleting them.
Now let’s check how to find them.
How to find a backdoor in an attacked or hacked WordPress site?
There are some techniques that will help to locate backdoors on your website. Follow these steps to save your WordPress site-
1. Perform a deep scanning of your site
Among the highly recommended scanners, Sucuri stands out as a trusted solution known for delivering satisfactory results. It helps in the prompt identification of security breaches. Additionally, there are other notable tools available, such as Quttera, which offers free malware scanning for various platforms including WordPress, Joomla, and Drupal.
Astra Security offers comprehensive scanning and helps to identify malicious links, malware, and blacklistings on your hacked WordPress website.
Wordfence, iThemes, Malcare, and WPScan are some other popular tools that can help to scan your website.
2. Delete your WordPress plugin directory
However, hackers often employ smart tactics to make it challenging to identify backdoors using this method.
As a more effective approach, it is recommended to delete the entire plugins directory and reinstall all plugins from scratch.
This helps ensure that any potential backdoors are eliminated and provides greater peace of mind regarding the malware removal from your site.
3. Delete your theme folder
To make things easier, instead of looking for a hidden backdoor in your theme files, it’s better to delete them altogether.
By doing this, you save time and remove a possible way for hackers to get into your website. After deleting the theme files, you can simply reinstall the themes you want to use again.
4. Look for the Uploads folder for PHP files
The next step to fix the backdoor in your site is to check for PHP files within the uploads folder in WordPress. The Uploads folder is designed to save media files like images, videos, etc. So, if you find any PHP file there, it can be a sign of a backdoor.
Search for the Uploads folder inside the wp-content folder. In this folder, you’ll find different folders saved according to the date you uploaded the files. You will need to explore each folder for PHP files.
If any PHP files are seen, delete them immediately as they should not be present in the uploads folder.
Note: Be extra cautious while using SSH commands, especially if you are not familiar with them. It’s always a great idea to have a backup of your WordPress site before making any changes.
5. Eliminate the .htaccess file
Sometimes, hackers can use redirect code in your .htaaccess file to redirect your visitors to different websites. To fix this, you can delete a file called .htaccess from your website’s root directory. Don’t worry, it will be made again automatically. If it doesn’t, you can go to your WordPress admin panel and click on the settings >> Permalinks. Now click “save changes” button to save a new .htaccess file.
6. Check your core wp-config file
The wp-config.php file is an essential file in WordPress that helps WordPress to establish a connection between WordPress and Database. This file also contains security keys that enhance the security of your WordPress installation.
Located in the root folder of your website, the wp-config.php file can be accessed and its contents viewed by utilizing the Open or Edit options provided in your FTP client.
Make sure to check if there is anything strange in the file. You can compare it with another file called wp-config-sample.php. If you find anything that doesn’t belong, you should delete it.
7. Restore a website backup
If you are still concerned about the WordPress backdoor, then restoring a website backup will be helpful.
By deleting your existing website and then restoring a backup taken before the hacking incident, you can regain complete confidence in the security of your site.
It’s important to note that this approach may not be viable for everyone, as it requires access to reliable backups and the ability to perform the restoration process effectively.
Nonetheless, this method ensures complete protection of your website and provides reassurance regarding its safety.