If you’re a WordPress site owner, you might have received an email saying your site has been hacked. If your site is hacked, your site might be vulnerable to many types of malicious attacks. In this tutorial, we will show you how to find a backdoor in a hacked WordPress site.
How to find out if a website is hacked?
Table of Contents
WordPress is a free, easy-to-use blogging platform for all people and small businesses. It is very popular and many people use it to create their own blogs. WordPress is a very powerful software that lets you create a blog for yourself, but sometimes, some hackers can gain access to your blog or the entire website and they can change the code.
This makes your site look different from what it was before and can even change the content of the website. These changes can be very damaging for you because you lose your credibility and visitors will not trust your site anymore.
Most hackers try to change something on your website. They may put harmful code in your site’s code or they may install malware, spyware, or other malicious programs. So, if you notice anything suspicious on your website, immediately fix it. If you don’t fix it right away, you might end up losing customers or even your entire website!
After a site has been hacked, hackers will leave signs of their activity. You should check for these signs to see whether the site has been hacked.
- Hacked files are named differently from normal files. For example, in a normal file, the name would be `index.html`, but a hacked one might be named `admin-login.php`.
- If you open a file, you may notice that it doesn’t have the standard WordPress text, but has been replaced with the word `Hello` or other random text.
- If you try to upload something to the website, you may receive an error message.
- Search the site if the site contains “/wp-includes/[filename].php”.
- Check the database if “wp_posts” or “wp_postmeta” tables are modified.
- Search the files if there are modifications on the “wp-config.php” file.
- Check if the site has been changed by an external source by searching the “htaccess” file and the files inside the “www/wp-content/plugins” folder and much more.
- Cleaning up the hacked website is quite a lengthy process, though when you clean up the website it is important to close the backdoor as well. Few hackers are smart enough to install the backdoor to enter into your WordPress website and even then secure your front door.
What is the Backdoor of WordPress?
A WordPress Backdoor is a code that allows hackers to enter an unauthorized website and access its server. The word ‘backdoor’ is the name of a way that hackers use to hack into a website. They write special code into a website that tracks a person’s computer into believing that they are someone else (like a friend) or they just log in as the website owner. Backdoor of WordPress is a powerful website hacking method that enables the user to hack any website with ease. They get access to any unrestricted, unauthorized website. This backdoor is very useful in finding out information about the visitors of your website by monitoring their online activities.
How does backdoor work?
A backdoor attack is a security exploit that allows an attacker to access a computer system. The attack takes advantage of some weakness or flaw in software or the operating system. Once the attacker has gained access to the system, he can install programs or modify files. He may be able to log on as a user with limited permissions, or even run his own programs as an administrator. Backdoor refers to a method of accessing or gaining access to a computer system without authorization. The most common form of backdoor involves viruses that allow the hackers to use the system as if they were legitimate users. For example, if you use a program called “X” on my computer, the computer will believe that you are the legitimate owner of the program and give me full access to the system.
Where is the Backdoor Hidden?
Backdoor looks just like the WordPress file. It can be hidden anywhere on your WordPress website. Most of the security plugins are not able to detect backdoors because they use redundant techniques. The backdoors are most commonly stored in the following locations:
1. WordPress Themes
You may have many themes on your WordPress website. The old and inactive themes are a safe place for hackers to enter your website. So it is important to remove the unused and not updated themes to be deleted.
2. WordPress Plugins
WordPress plugins are another best place for hackers to load their malicious code on the website because WordPress users don’t often use and update the plugins. And also they use poorly coded plugins that are easy for the hackers to enter into the website.
3. Uploads Directory
Uploads directory is another great place for the hackers to leave the backdoors as uploads contain a number of media files, and users will just use the media file and will never check the code hidden in the media files.
This file contains the most sensitive information that is used to configure WordPress. Since it is highly sensitive many hackers try to target this file and users won’t be able to identify it.
This wp-includes folder is another place for hackers to easily inject their code because many website users will never check what is inside the folder. This folder has Php files that are used to run WordPress.
How to find backdoors in WordPress and fix it
As explained above you have got an idea about backdoors and where it is hidden. Now the most triggering part is to find backdoors on your website. Once found, it is as easy to clean the website.
1. Scan for Malicious code
It is important to scan your website and database in order to find any vulnerabilities and backdoors. The most commonly used security plugin is Sucuri and also there are many other security plugins. These plugins help you to find the backdoors and help you to remove them. It is a must to scan every day and check if there is any malicious code.
2. Delete Plugin Folder
It’s a tedious process to search for the plugin folder and scan for each and every plugin to find out the vulnerabilities. The best is to remove the plugin directory and reinstall it again. This is the only way to find out if backdoors are in your plugin or not. You will be able to access the plugin folder through the FTP client or with the WordPress host file manager.
3. Delete Themes
Same as the plugins, you might not be sure whether there is a backdoor with themes and it’s time-consuming to search for it. Instead, delete the themes files to check whether themes are causing a backdoor. Once found it is in themes, then the backdoors are cleaned up and you can install the themes that are required.
4. Search Upload folders for PHP file
The next thing is to search for the upload folders and check whether a PHP file is stored in them. The uploads directory is to store media files. There is no use for PHP files to be stored in uploads. If you find any PHP files, delete them immediately. Because usually, hackers place their files in the uploads folder since users won’t look into the upload folder often.
5. Delete the .htaccess file
Hackers will not leave even the .htaccess file. Some hackers will place the code in a .htaccess file that would redirect your users to some other website. So using the FTP client or file manager it is important to delete the website’s root directory, and it will be recreated automatically.
If it is not recreated automatically, then manually go to Settings>>Permalinks in your Admin Panel and click on the Save Changes button to create a new .htaccess file.
6. Check for the wp-config.php file
The wp-config.php is the root file for WordPress which contains information about the WordPress database, security keys for installation, and other developer options. You can find this file in the root folder. To view the file click on the Open or Edit option from your FTP Client.
Now it is important to carefully check the files that look suspicious. You can compare the files with the wp-config-sample-PHP file which is located in the same folder. Delete it immediately if it is vulnerable.
7. Restore Website Backup
If you’re performing regular backups to your website and still you’re worried that your website is not clean. Then the best part is to delete your entire website and restore your backup website once it was taken before your website is hacked.
Tips to prevent future hacks
- Regular Backup
- Install the best security plugin
- WordPress login to be more secured
- Protect the WordPress admin area
- Disable themes and plugins folders
- Disable certain PHP executions
- Keep your website up to date.
When hackers hack a website, they can upload any type of file to the server, including PHP scripts, which are the instructions used to run the site. Hackers also can change the code that runs a theme to include instructions that they can execute when a visitor loads a page.
For example, an attacker could replace the code that would display the homepage with a code that directs visitors to another site.
When this happens, there’s nothing stopping someone from uploading a PHP script or theme file with instructions for how to “fix” the problem. This script might direct people who visit the site to download a fake browser extension to protect them from future hacking.
Once the hacker has your site hacked, they use backdoor files as the first step to enter your site. If you find a backdoor file on your site, delete it immediately. You do not want a hacker to have access to your site while they are still there.
If you’re going to remove a backdoor file from your website, you need to make sure you delete it from all places. So don’t just delete it from a single directory!
If you find a backdoor file on your site, it is highly likely that your WordPress installation has been hacked by a hacker. If you have no idea how to check if your site has been hacked, you can download the popular Sucuri Website Security plugin for WordPress.
Before you do anything else, update your WordPress installation. That’s the most important thing to do when you have a hacked site.
Once you have updated your WordPress installation, you can then log in to the back end and do some basic troubleshooting.
WordPress has been hacked by hackers to steal users’ credentials and access their email addresses and personal information. Hackers are always looking for ways to use other peoples’ websites as a platform for their own attacks, and one of the easiest ways to do this is through the theme files.
These are files located in your theme directory that contain information about how the site should look and behave. Hope you got an idea about how to find backdoors in a hacked website and fix it. If you have any queries or suggestions please feel free to comment.