We will explain how to find backdoors in a hacked and defaced WordPress site.
What is a backdoor?
As the name suggests, a backdoor is a back door that allows hackers to tamper with a site and perform various illegal activities on the server.
This program can be written in as little as one line or as many as a few dozen characters, so it is very often installed when WordPress is hacked and tampered with.
Once a vulnerability is breached and a backdoor is installed, if even a single backdoor remains on the server, the server will be repeatedly re-modified, and the backdoor must be removed.
However, since even simple programs can create backdoors, they are often installed in very deep WordPress hierarchies or mixed in with legitimate files, making manual detection and removal difficult in many cases.
How to find and remove WordPress backdoors
1 Use a malware scanning plugin
The easiest way is to use a plugin that automatically scans all program files on WordPress for malware.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
However, backdoors always change their code to escape detection. There are some types of backdoors whose code changes from site to site.
We recommend that you use the paid version of the above plug-ins, as new types of malware that appear daily are added to the database and the latest malware can always be detected.
(You can purchase the paid version from the plugin management screen after installing the plugin.)
2 Manually check susceptible files and remove malware
There are at least several thousand WordPress files, and it is difficult to manually inspect each and every file. However, backdoor codes have certain characteristics, and there is a trend in the files in which they are embedded, so it makes sense to manually check such files and codes.
(However, if you only use this method, the possibility of the backdoor remaining somewhere is greater.)
Example of backdoor code
Backdoor codes have the following characteristics
- Obfuscated, one-line strings of unintelligible characters
- Often embedded at the top of the program
- Many comments (/*) are inserted to avoid detection.
- Eval (a function that executes a string as a program) is included.
- Base64_decode (often used to obfuscate programs) is included.
The following files are often embedded with backdoors
wp-config.php
index.php
functions.php of the theme
index.php of the theme
Fake files that have been partially renamed from legitimate WordPress files
Reference
Five characteristics of malware files that infect WordPress