If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware.
In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site.


What is a back door?

A backdoor is a program that is illegally embedded in a site and serves as a starting point for hackers to deface the site.
Hackers can access this file via the Internet to deface the site as many times as they wish.

Backdoors are often difficult to find because they are embedded deep within the site, the code is obfuscated, or they are hidden in other files such as ico files.

How to find hidden malware (tampering) and backdoors in WordPress

The easiest way to find hidden malware (including tampering, backdoors, and viruses) is to use a malware scanner plug-in.

We recommend that you scan your site with the WordPress Doctor malware scanner plugin, which has been used to scan and remove malware from over 30,000 sites as of 2022.

Free WordPress:Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].

Files susceptible to WordPress malware infection

There are also certain files that are very susceptible to WordPress backdoors and malware.
We recommend that you also investigate this by visual inspection.

Infection of files that are executed whenever someone visits the site

WordPress has a file that is executed every time someone visits the site. Hackers may embed malicious code here to automatically restore malware by embedding a backdoor or malicious code for re-infection.

wp-config.php
index.php

contained in the theme file
index.php
header.php
footer.php
functions.php
single.php
page.php

Malware disguised as common WordPress files

Malicious code may be installed with a name that looks exactly like a common program name included in WordPress.

wp-signups.php
wp-plain.php
wp-conflg.php
xmIrpc.php
setup-config.php
wp-includes.php

etc.

Randomly named PHP files

Hackers often embed malware files with random, meaningless strings of characters in their file names. If such a file is included in the core WordPress files, you may suspect it is malware.

1dyrU7.php
hU67jl.php

etc.

HTACCESS file

The HTACCESS file is a configuration file at the top of the WordPress installation directory that contains permalink settings and other information.
It is very common for this file to be tampered with, disabling many of the features of the administration panel.

Reference
HTACCESS and Index.php files that are instantly tampered with again in WordPress

Related Posts:

  1. What to do if you can no longer rewrite or delete HTACCESS due to wordpress tampering
    Here is what to do when you can no longer rewrite or delete HTACCESS due to WordPress malware infection (tampering)....
  2. If you can’t find wordpress malware, where is the malware hidden?
    We will explain how hackers hide malware when WordPress has been defaced and no malware is found....
  3. How do I stop process-resident malware in WordPress?
    Some of today’s malware is of the type that writes an infinite loop (or delayed process) into the server process and resides there....
  4. 10 Symptoms of WordPress hacked (tampered malware infection)
    This section describes 10 common symptoms of WordPress being hacked (tampering malware infection)....
  5. Five types of malware embedded in WordPress
    Here are some of the types of malware embedded in WordPress that are common these days. If similar code is included in the site’s program, we suspect that WordPress has been hacked and tampered with....
  6. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....