We will explain how to find backdoors in a hacked and defaced WordPress site.

What is a backdoor?

As the name suggests, a backdoor is a back door that allows hackers to tamper with a site and perform various illegal activities on the server.
This program can be written in as little as one line or as many as a few dozen characters, so it is very often installed when WordPress is hacked and tampered with.

Once a vulnerability is breached and a backdoor is installed, if even a single backdoor remains on the server, the server will be repeatedly re-modified, and the backdoor must be removed.

However, since even simple programs can create backdoors, they are often installed in very deep WordPress hierarchies or mixed in with legitimate files, making manual detection and removal difficult in many cases.

How to find and remove WordPress backdoors

1 Use a malware scanning plugin

The easiest way is to use a plugin that automatically scans all program files on WordPress for malware.

Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

However, backdoors always change their code to escape detection. There are some types of backdoors whose code changes from site to site.

We recommend that you use the paid version of the above plug-ins, as new types of malware that appear daily are added to the database and the latest malware can always be detected.
(You can purchase the paid version from the plugin management screen after installing the plugin.)

2 Manually check susceptible files and remove malware

There are at least several thousand WordPress files, and it is difficult to manually inspect each and every file. However, backdoor codes have certain characteristics, and there is a trend in the files in which they are embedded, so it makes sense to manually check such files and codes.
(However, if you only use this method, the possibility of the backdoor remaining somewhere is greater.)

Example of backdoor code

Backdoor codes have the following characteristics

  • Obfuscated, one-line strings of unintelligible characters
  • Often embedded at the top of the program
  • Many comments (/*) are inserted to avoid detection.
  • Eval (a function that executes a string as a program) is included.
  • Base64_decode (often used to obfuscate programs) is included.

The following files are often embedded with backdoors
wp-config.php
index.php
functions.php of the theme
index.php of the theme
Fake files that have been partially renamed from legitimate WordPress files

Reference
Five characteristics of malware files that infect WordPress

Related Posts:

  1. 5 signs that your WordPress site has been hacked or defaced
    Recently, there has been an increase in the number of SEO hacks, a type of site tampering that is difficult to recognize as tampering, rather than hacks or tampering that are easy to understand. In this article, we would like to explain how this type of tampering affects sites....
  2. What to do for your site users when WordPress is hacked, tampered with, or hijacked.
    This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site)...
  3. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  4. Redirect hack that takes you to another site when you click on a link on a WordPress site.
    A redirect hack is a type of tampering in which a hacker alters site data or theme files to force users to go to a page that the hacker wants them to go to instead of the page they originally wanted to see. The following is an explanation of a common example of a redirect hack, in which clicking on...
  5. WordPress Examples of redirect hacks where WordPress WordPress redirects to another site without permission and how to deal with them.
    Recently, there have been an increasing number of cases where sites have been tampered with, redirecting users to a fake Windows virus removal page or PC repair page only when accessing the site via Google. In this issue, we will deliver an explanation of this case and countermeasures....
  6. Reasons for repeated hacker defacement and malware infection on WordPress sites
    Once a WordPress site has been defaced by hackers, embedded malware, or infected with a virus, the site may be repeatedly defaced even after you think you have removed the malware. We will explain how to deal with such cases....