Introduction
WordPress sites are a prime target for cybercriminals due to their popularity and open-source nature. One of the most dangerous aspects of WordPress malware infections is the presence of hidden backdoors, allowing attackers to regain access even after the initial cleanup. This investigation highlights common backdoor techniques, detection methods, and steps to secure your WordPress site.
How Attackers Install Hidden Backdoors
1. Injected Malicious Code in Core Files
Attackers often insert malicious PHP code into core WordPress files such as wp-config.php, wp-load.php, and wp-settings.php. This allows them to execute commands remotely.
2. Obfuscated PHP Scripts
Malicious scripts use functions like base64_decode(), eval(), str_rot13(), or gzuncompress() to hide their true functionality. These scripts often reside in plugin and theme files.
3. Fake Plugin or Theme Files
Hackers create plugins with names resembling legitimate ones or inject backdoors into inactive themes that go unnoticed.
4. Unauthorized Database Entries
Attackers inject malicious code directly into the WordPress database, especially in the wp_options, wp_posts, or wp_users tables.
5. Hidden Files in Uploads Directory
Hackers hide PHP files in the wp-content/uploads/ directory disguised as image files (e.g., malware.jpg.php).
6. Modified .htaccess Rules
Attackers modify .htaccess files to redirect traffic or execute malicious scripts, often enabling remote code execution.
How to Detect Hidden Backdoors
1. Scan for Malware and Unusual Code
Use security plugins like:
Wordfence
Sucuri Security
MalCare
iThemes Security
Run a manual search for suspicious functions:
find . -type f -name "*.php" | xargs grep -i "base64_decode"
find . -type f -name "*.php" | xargs grep -i "eval("
find . -type f -name "*.php" | xargs grep -i "gzuncompress"2. Check File Integrity
Compare WordPress core files with a clean installation:
wp core verify-checksums3. Review Recently Modified Files
Identify files changed in the last 7 days:
find . -type f -mtime -74. Scan the Database for Suspicious Entries
SELECT * FROM wp_options WHERE option_value LIKE '%<script%';
SELECT * FROM wp_posts WHERE post_content LIKE '%base64%';5. Check User Accounts
Verify admin users under Users > All Users in WordPress and remove unauthorized accounts.
How to Remove Hidden Backdoors
1. Restore from a Clean Backup
If you have a recent backup, restore it and immediately update all passwords.
2. Replace Core WordPress Files
Reinstall core files using:
wp core download --skip-content --force3. Clean Database Entries
Manually remove malicious database entries via phpMyAdmin or a database management tool.
4. Remove Suspicious Files
Delete unauthorized PHP files, especially in wp-content/uploads/, wp-includes/, and wp-admin/.
5. Reset All Passwords
Change passwords for:
WordPress Admin
FTP/SFTP
Hosting Panel
Database User
6. Harden WordPress Security
Disable file editing in
wp-config.php:define('DISALLOW_FILE_EDIT', true);Set correct file permissions:
find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \;Enable Two-Factor Authentication (2FA)
Install a Web Application Firewall (WAF)
Final Steps
Request Google Review
If your site was flagged by Google, go to Google Search Console > Security Issues and request a security review after cleanup.
Monitor for Future Attacks
Regularly scan your site, update all themes/plugins, and enforce strong security measures.
By proactively securing your WordPress site, you can prevent hackers from exploiting hidden backdoors and maintain a secure website. If you suspect your site is infected and need professional help, consider using security services like emonbd, a1webservice, or a cybersecurity expert.
0 Comments