WordPress backdoor

How to Find a Backdoor in a Hacked WordPress Site and Remove it?

WordPress backdoor
Has your WordPress site been attacked or hacked? Looking for ways to recover from it?

Hackers are constantly seeking ways to leave the backdoor on your WordPress website. They embed malicious code in a file to get unauthorized and persistent access to your system. This breach opens the door for corrupted plugins to be added to your system.

These backdoors can stay on your hacked website for longer without you knowing. The only way to protect your hacked website is to find backdoor and fix it.

In this post, we’ll discuss the way to find WordPress backdoors and eliminate them to protect your site.

Let’s first check how will you know that your site is attacked-

What are the early signs of a malware attack?

For a WordPress site owner, it is important to pay special attention to site security because WordPress sites are hacked on average 44 times per day.

So, how will you identify that your site is under attack? There are some signs that will indicate that your site is hacked

If you notice-

  • A sudden drop in traffic
  • Unknown links and files
  • Changed home page
  • Unable to log in to your site
  • Suspicious new user account
These signs are a clear indication of a hacked website.

Hackers hide the backdoor files in different parts of the website such as themes, plugins, uploads, wp-config.php and wp-includes. But the challenging part is to find the backdoor. Once they are found, cleaning them will be easy by simply deleting them.

Now let’s check how to find them.

How to find a backdoor in an attacked or hacked WordPress site?

There are some techniques that will help to locate backdoors on your website. Follow these steps to save your WordPress site-

1. Perform a deep scanning of your site

When it comes to scanning for malicious code and detecting potential backdoors in your WordPress website, utilizing reliable and effective malware scanning tools is crucial. 

Among the highly recommended scanners, Sucuri stands out as a trusted solution known for delivering satisfactory results. It helps in the prompt identification of security breaches. Additionally, there are other notable tools available, such as Quttera, which offers free malware scanning for various platforms including WordPress, Joomla, and Drupal. 

Astra Security offers comprehensive scanning and helps to identify malicious links, malware, and blacklistings on your hacked WordPress website. 

Wordfence, iThemes, Malcare, and WPScan are some other popular tools that can help to scan your website.

2. Delete your WordPress plugin directory

One common practice people use to find backdoors in their WordPress websites is by searching through their plugin folders for suspicious files. 

However, hackers often employ smart tactics to make it challenging to identify backdoors using this method. 

As a more effective approach, it is recommended to delete the entire plugins directory and reinstall all plugins from scratch. 

This helps ensure that any potential backdoors are eliminated and provides greater peace of mind regarding the malware removal from your site.

3. Delete your theme folder

To make things easier, instead of looking for a hidden backdoor in your theme files, it’s better to delete them altogether. 

By doing this, you save time and remove a possible way for hackers to get into your website. After deleting the theme files, you can simply reinstall the themes you want to use again.

4. Look for the Uploads folder for PHP files

The next step to fix the backdoor in your site is to check for PHP files within the uploads folder in WordPress. The Uploads folder is designed to save media files like images, videos, etc. So, if you find any PHP file there, it can be a sign of a backdoor. 

Search for the Uploads folder inside the wp-content folder. In this folder,  you’ll find different folders saved according to the date you uploaded the files. You will need to explore each folder for PHP files.

If any PHP files are seen, delete them immediately as they should not be present in the uploads folder.

Note: Be extra cautious while using SSH commands, especially if you are not familiar with them. It’s always a great idea to have a backup of your WordPress site before making any changes.

5. Eliminate the .htaccess file

Sometimes, hackers can use redirect code in your .htaaccess file to redirect your visitors to different websites. To fix this, you can delete a file called .htaccess from your website’s root directory. Don’t worry, it will be made again automatically. If it doesn’t, you can go to your WordPress admin panel and click on the settings >> Permalinks. Now click “save changes” button to save a new .htaccess file.

6. Check your core wp-config file

The wp-config.php file is an essential file in WordPress that helps WordPress to establish a connection between WordPress and Database. This file also contains security keys that enhance the security of your WordPress installation. 

Located in the root folder of your website, the wp-config.php file can be accessed and its contents viewed by utilizing the Open or Edit options provided in your FTP client. 

Make sure to check if there is anything strange in the file. You can compare it with another file called wp-config-sample.php. If you find anything that doesn’t belong, you should delete it.

7. Restore a website backup

If you are still concerned about the WordPress backdoor, then restoring a website backup will be helpful. 

By deleting your existing website and then restoring a backup taken before the hacking incident, you can regain complete confidence in the security of your site. 

It’s important to note that this approach may not be viable for everyone, as it requires access to reliable backups and the ability to perform the restoration process effectively. 

Nonetheless, this method ensures complete protection of your website and provides reassurance regarding its safety.

Final Thoughts

Backdoors provide unauthorized access to your website that allows hackers to manipulate, steal data, or even take control of your entire WordPress site. In this article, we have guided you through the process of finding and eliminating potential backdoors. If you suspect that your website is attacked, implement these steps to successfully detect them and delete them. Moreover, if you find any difficulty during the process, don’t hesitate to get in touch with us. We are just a call away!

whatsapp logo