Having your WordPress site hacked, is nothing short of nightmare. What is worse is, even after you think you have completed the cleaning process, the hacker might get in because they usually create a backdoor which lets them pass through the usual authentication process. In this post, we shall discuss how one can find the backdoor in a hacked WordPress site and have it fixed.
About a Backdoor
Backdoor refers to a method of overriding the usual authentication process and gaining unauthorized access to a WordPress hosting server. Most of the times a hacker tries to get in, he uploads a backdoor first, so that even after you identify that you have been hacked and change passwords, there’s a way to get in for the hacker. Backdoors can be notorious and survive even after you have removed the plugin which was culprit in the hacking or have upgraded the WordPress. To recover from the attack, it is necessary to clean backdoors.
There are varying levels of sophistications in backdoors. Some of them create a hidden admin username. Others can allow the hacker to run PHP codes sent from the browser, while others can come with a full UI, through which the attacker can send emails, execute queries etc.
Finding the hidden Code
The usual locations where the backdoor codes are hidden–
- Plugins– Plugins are the probably the favorite places for hackers to hide backdoors. There are many reasons for this, First of all, while cleaning after an attack, people don’t usually look into plugins for backdoors. Second, even after upgrading to a new WordPress, people don’t usually upgrade plugins, which increase the longevity of backdoors. And third being the plentiful availability of plugins which are poorly coded and hence are vulnerable to be used as backdoors.
- Themes– Many hackers store the backdoor in inactive themes. This is because people usually look at the current theme or a theme that had recently been used. Hence, cleanup the inactive themes.
- wp-config.php– This is a frequent target. It is also the place where you should look.
- Uploads Directory– This is the place which is not frequently checked by casual bloggers because there are hardly anything other than media files in this folder. Moreover, there are thousands of files in this folder, which makes it easier for the hacker to hide the backdoor code. So have a thorough look through this directory.
- The Includes folder– /wp-includes/ is the place where hackers usually place their backup backdoor files. Generally there are two backdoors which hackers keep on a server.
In all of the above cases, the backdoor is usually camouflaged as a legitimate WordPress file. The extension can be anything, not necessarily PHP. Data.php, wp-content.old.tmp etc. are some of the common names which backdoor files have. The only telling factor is that these are present in wrong folders.
WordPress in itself is not vulnerable to unauthorized uploads. The actual backdoor upload is usually the second step. Hackers generally exploit a third-party plugin to get access for uploading backdoor files. This is how things start going downhill.
Finding and cleaning the backdoor
Removing a backdoor file is easy. Just delete it! However, finding it is the difficult step. Start with a malware scanner like Sucuri. However, there can be many false alarms. Because most backdoors use base64 and eval codes. These types of codes are used by plugins. So, unless you are the one who developed a plugin, won’t be able to tell the difference between a legitimate base64 file and backdoor. The best thing to do is to delete the entire plugins folders and reinstall each. This will ensure that you have cleaned up the plugins in one go.
- Searching the Uploads folder
You can use the SSH code find uploads –name “*.php” –print. This shall give the name of the files in the Uploads folder which have php as extension. There’s no usual reason to find a PHP file in Uploads folder, which is primarily meant for media files.
- Inactive Themes
Delete the inactive themes. If you ever need them, then can get in your leisure time.
- Delete .htaccess file
Many times a redirect code is added in this file. Just delete the file, and WordPress will create a new file on its own. If it doesn’t, then in the admin panel, find Settings>>Permalinks and click Save.
- wp-config.php file
Compare the current wp-config.php with wp-config-sample.php. If there’s anything fishy, reset it.
- Scanning the Database for Exploits and SPAM
In some attacks the hacker stores the backdoor files in your database. It is usually very difficult to find problems. However, you can use Sucuri or Exploit scanner are good at finding these.
Just to be sure that the hacks have been removed, direct your browser (in private browsing mode) to your site. Some hackers code their attacks such that logged in users don’t see any changes. If everything looks right, then you are done for now.
Preventing future attacks
The best way is to keep regular backups and strong monitoring system. The moment you see any unusual activity, delete the entire site and recover from the backup. Use Sucuri to monitor and keep your site safe. Other security measures
- Use strong passwords– If you find it hard to remember difficult passwords, then use password utilities like 1Password.
- Limiting login attempts– This will lock a user out after a particular number of login attempts
- Multi-step authentication– Keep a two-step password at least, like a password along with a verification step.
- Disabling PHP execution in WordPress directories– This would stop any sort of execution from the Uploads directory and other unusual places.
- Update and Update– Keeping your WordPress updated is an essential step to ensure security.
The most important thing is to spend some time and money on security. Use paid plugins like Sucuri and sophisticated backup plugins. If you are hacked, there’s always a restore point. Being 100% secure is impossible, but there are always ways to prevent attacks.