From time to time, we helped the users to fix their hacked WordPress websites. Most of the time when users reach out to us, they have already cleaned up the domain, but the hackers was able to get back in. This happens when you didn’t clean up the site properly or did not know that what you are looking for. In most of the cases, we found that there was a backdoor created by the cyber hackers which always allowed them to bypass the normal authentication. In this post, we will teach you how to find a backdoor in hacked WordPress website and how to fix it quickly.
What do you know about a Backdoor?
Backdoor is referred to a method of bypassing the normal authentication and gaining the ability to remotely access the server while the remaining undetected. Most of the smart hackers always upload a backdoor as the first thing. This allows them to regain the access even after you find and eliminate the exploited plug-in. The backdoors often survive the upgrades and so on your website is still vulnerable until you clean this mess up completely. Some backdoors simply allow the users to create the hidden admin or username. Since, the more complicated backdoors will allow the hackers to execute any PHP code sent from the web browsers. Others have the full fledged user interface which allows them to execute SQL queries, send an emails as your server and everything else that they want to do.
Where is the Code Hidden in WordPress Site?
Backdoor in hacked WordPress website installs are most commonly stored in the following location such as:
Themes : Most likely the backdoor is not in the current theme that you are using. The hackers want the codes to survive core updates. So, if you have an old Kubrick theme placed in your themes directory or other inactive themes, then probably the codes will be in there. That is why we strongly recommend eliminating all the inactive themes.
Plugins : Plug-ins are the great place for the hackers to hide the codes for three reasons. The first one, the users do not really look at them. Second, people usually don’t like to upgrade their plug ins, so the backdoor survive the upgrades because folks keep them to upgrade. And the last one, there are few poorly coded plug-ins which probably have their own vulnerabilities to begin with.
Upload Directories : As a blogger, you never check your upload directory. You just upload an image and use it into your post. You probably have lots of photos in the upload folder. Although, it is very for the hackers to upload a backdoor in upload folder it hide well among plenty of media files. The upload directory is writable, so it can easily work the way it is supposed to. We find number of backdoors are in there.
Wp-config.php : This also one of the highly targeted files by the criminal hackers. Also, it is one of the first places that most folks are told to look.
Includes Folder : Includes folder is another place that we find the backdoors. Some cyber criminals will always leave more then one backdoor file. Once they uploaded one, then will add another backup in order to ensure their access. It is another one where the most people do not bother looking.
More Information: http://ottopress.com/2009/hacked-wordpress-backdoors
How To Find and Remove the Backdoor in Hacked WordPress Website?
In all the cases we fond that the backdoor was disguised to like a normal WordPress file. Now, you are probably thinking that the WordPress is an insecure because it allows for the backdoors, then you are dead wrong. After that you know what a backdoor is and where the backdoor can be found. You need to start looking for cleaning it up. However, removing backdoor is as easy as deleting the code or files. Moreover, the difficult part is finding it. Out of those, we strongly recommend users to visit http://www.cleaningpcvirus.com for detection and removal of backdoor from hacked WordPress website.