911 Hack Removal

WordPress Backdoor Hack: Symptoms, Finding & Fixing

Updated on: February 7, 2022

WordPress Backdoor Hack: Symptoms, Finding & Fixing

Article Summary

Millions of WordPress sites are infected every year and the number is increasing. These hacked websites are then used to spread fraud and spam by redirecting their traffic to questionable websites.Often the owners and developers may be unaware of the infection. The infection may be persistent or not. Thus, a well-planted WordPress backdoor helps to maintain that persistence.

What is WordPress Backdoor?

A WordPress backdoor is the code that allows an attacker to unauthorized and persistent access to the server. Often it is a malicious file hidden somewhere. Or at times it can be an infected plugin. New variants of WordPress backdoor hack can be found every month.

Hackers are always at play trying to inject WordPress backdoor. There have been multiple plugins over the years used to spread infection. Therefore, the threat could be from anywhere. Later on, it can be a time and resource-consuming process to remove WordPress backdoors. However preventive measures can always control the damage. A secure WordPress site can delay the attack if not prevent. We will see more about finding and fixing a WordPress backdoor in this blog.

What leads to a WordPress Backdoor Hack?

Setting up a WordPress site is reasonably comfortable. But multiple loopholes can pave way for a WordPress backdoor. So, for simplicity, we can narrow it down to the prime few. These are:

  • At times it could be due to a buggy plugin or a theme.
  • Login credentials to your site may be weak or default.
  • File permissions may be weak exposing sensitive files.
  • Not using a firewall or some sort of security solution.
  • Installations may be outdated.
  • Sharing an infected server with other websites. Ask your service provider for subnetting.
Wordpress Malware removal steps

Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)

Finding WordPress Backdoor

Locating WordPress Backdoor in Themes

Inactive themes are the best place to hide a WordPress backdoor. Hackers are aware of this fact and often look for such themes on your site. The reason being you are less likely to check there as it is inactive. WP Themes contains a critical file called functions.php. This file is responsible for calling native PHP, WordPress, and other functions. So in simple words, it can be used to perform any kind of operation. Often attackers try to inject this file for obtaining a WordPress backdoor. One such example is given in the image below.

WordPress backdoor malicious code

This malicious code is present in the file functions.php. It gets triggered when the attacker visits  URL: www.yoursite.com/wp-includes/registration.php So, then this function creates a new user with

id: backdooradmin

password: Pa55W0rd.

Thus, even if you delete the user it can be created again by visiting this URL. This is a typical example of a WordPress backdoor. However, this code can be injected only by gaining access to the server first. It could be using an open FTP port or other loopholes.

Secure your WordPress website before hackers try to hack it!

Astra Website Protection has helped thousands of WordPress sites prevent cyberattacks.

Locating WordPress Backdoor in Plugins

A WordPress backdoor hack is often due to buggy plugins. Multiple plugins have been found buggy over the years. This year the latest one was the Contact form 7. There are more than 5 million active users of this plugin. In contrast, the bug led to a privilege escalation. When plugin files are modified, it may not be visible on the Dashboard. However, an FTP search can reveal such files. Further to make it look legitimate, backdoor files are named as help files. The reasons backdoors are found in plugins are:

  • Unused plugins are more likely to be infected. Only because they can hide backdoors for long.
  • Untrusted and unpopular plugins are often poorly coded. Thus increasing the chances of a WordPress backdoor hack.
  • Outdated plugins are more likely to be the target. Just because many are still running them without updating.
  • These buggy plugins can help in modifying other core files.

Therefore lookout for any unknown plugins. Clean all the unused plugins!

Locating WordPress backdoor in installation files

Modifying core files comes next after the plugin is infected. There may be rogue code in base files or new files may appear. At times the backdoor may look gibberish like this here:

$t43="l/T6\\:aAcNLn#?rP}1\rG_ -s`SZ\$58t\n7E{.*]ixy3h,COKR2dW[0!U\tuQIHf4bYm>wFz<=DqV@&(BjX'~|ge%p+oMJv^);\"k9";
$GLOBALS['ofmhl60'] = ${$t43[20].$t43

This code is obfuscated using known techniques. Thus making it harder for human users to read. So, look out for such a fishy looking code and remove the files containing it. At times the backdoor may also present itself as a legitimate file like xml.php, media.php, plugin.php, etc. So don’t skip any file even if looks legitimate. Moreover, there are other techniques to make the code difficult to read.

Also, look out for the keyword FilesMan in your files. For instance, this is the dump of infamous backdoor  Filesman:02. This backdoor is hard to detect and not visible in logs. It is used to steal passwords and other details.

<?php
$auth_pass = "";
$color = "#df5";
$default_action = "FilesMan";
$default_charset = "Windows-1251";
preg_replace("/.*/e","x65x76x61x6Cx28x67x7Ax69x6Ex66x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93W0Mk+W/31Wll5b6xZhkdq/7OedhJtDdKpVKUkkqlapK3rDM1tzJLL4tl7qn+ycf90/O7ddnZ++7H+Ctu/t..NRCty4s8Uh1VQKxLg+xQC0T93+IV4sxw/c08okR1wKtoyadLX6Dl6tDg3WxVxFoHhkj6Yn/xc='x29x29x29x3B",".");
?>

For instance, the code in the 6th line is in the hex form. When converted it would look something like: preg_replace("/.*/e","eval(gzinfla\. There are tools available online to decode hex characters. Use them! Also, the attacker can hide code using base64 encoding. So treat it similarly.  Here the keyword FilesMan is present in the 4th line. Such variants of this infection have this keyword. At times it is possible that the code may be tampering with sensitive files like .htaccess. So ensure to take a good look through these!

How to Fix WordPress Backdoor Hack?

Comparing Checksum

The first step is to compare the checksums. It is a heuristic determination of file integrity. Manual inspection can be done. Moreover, there are automatic tools available free for this purpose. Not only for core files, but checksums are also available for plugins and themes too. Moreover, you can maintain a personal blacklist. This can be done using lists available in the public domain. After the checksums do not match proceed to manually remove WordPress backdoors.

Core Files Integrity

Secondly, after files show up different checksum values inspect them manually. It is very likely that WordPress backdoor hack would have tampered files. Thus, the integrity of the installation files can be verified. Begin by downloading a fresh copy of WordPress.

$ mkdir WordPress

$ cd WordPress

This command created a directory named WordPress and switched over to that.

$ wget https://github.com/WordPress/WordPress/archive/4.9.8.zip 

$ tar -zxvf 4.9.8.zip

Now download the latest version of WordPress (4.9.8 in this case) using the first line of code. The second line then extracts it. After completing these tasks, comes the critical step. $ diff -r path/to/your/file.php /Wordpress/wp-cron.php. This code compares the difference between the two files. Since the WordPress backdoor would have edited your files, this will show the changes. However, a few files are dynamic like the xmlrpc.php. This file helps users and services to interact with the site through RPC. Hackers know this and often try to hide backdoor here. So check this thoroughly to find and remove WordPress backdoors.

Encodings

At times files may show modified but may be unreadable to you. Then, you can begin the WordPress backdoor hack cleanup by looking for base64 encodings. This is where the grep command can do the wonders. Use the following command:

find . -name "*.php" -exec grep "base64"'{}'\; -print &> output.txt

This command will neatly list all base64 detections in output.txt. From here on you can decode it to plaintext using online tools. Also, if you wish to search in files other than .php just replace the word *.php in code. Moreover, the malicious code could be in hex format too. So you could use grep -Pr "[\x01\x02\x03]". For other similar encodings repeat this step. Delete these files or lines of malicious code to remove WordPress backdoors.

Using Server Logs

The server logs can help to remove WordPress backdoors. Firstly, you need to see which files have been edited after a specific date. Also, go through the FTP logs to see the IPs used to connect to your server. Keep a tab on recently edited files. Moreover lookout for the image folder. No one expects executables to be present in images folders. Furthermore, the image folder may be writable. That’s why hackers love to hide backdoors there. Also, ensure that permissions are appropriate for sensitive files. Thus set your file permissions to 444 (r–r–r–) or maybe 440 (r–r—–).  See specifically for any changes in the images folder.

Update and Backup

The importance of updating your WordPress website has been emphasized over and over. An outdated installation is as good as an infected one.

If you are unable to trace the cause of WordPress backdoor hack, restore it from backup, only after taking the current site backup & then compare the two.

If you don’t have an existing backup and want to replace core WordPress files with the fresh ones. For that, you need to update your WordPress website manually after taking the current site backup.

Moreover, if any vulnerability is reported with the plugins you use, it is recommended to update them immediately. If the patch is taking too long then replace it with the alternatives. It is recommended to stay updated with official blogs to get patches at earliest.

Use WordPress Backdoor Scanner

Humans are prone to errors. Manually inspecting is tedious and prone to errors. It may cause WordPress backdoor hack to reoccur. So the solution to this is automation. There are pretty advanced tools available in the market today. These scanners can detect hidden WordPress backdoor location and provide steps to remove that backdoor.

Accurate, fast & machine learning powered website malware scanner now at your finger tips.

Check website blacklist | Run 140+ security tests | Check for SEO spam & Japanese keyword hack
Scan your website
with free website malware scanner!

Tags: , ,

Yash Mehta

Yash Mehta is an Information Security Intern at Astra. Passionate about Cybersecurity from a young age, he has helped 100+ companies secure their IT infrastructure.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] SEO rankings of the site. Apart from sending spam and SEO poisoning, backdoors are fairly common. Backdoors are installed in the WordPress sites after they are compromised using known vulnerabilities. These backdoors then pave ways for […]

trackback

[…] Related article: WordPress Backdoor Hack: Symptoms, Finding & Fixing […]

trackback

[…] Related article: WordPress backdoor hack […]

Piyush
4 years ago

thanks for sharing such a informative post

Naman Rastogi
4 years ago
Reply to  Piyush

Thanks, Piyush

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany