Finding and Fixing a Backdoor in a Hacked WordPress Site

Your WordPress site may have been hacked and you fixed it but the hacker was still able to get back in. Well, the reason for this is you did not clean up the hack the right way or you didn’t know the exact location where to find the breach. In such cases, what happens is a hacker creates a backdoor that allows him/her to bypass your site normal authentication. So, if you want to know the best way to find and fix a backdoor in a hacked WordPress site, read on.

What is a Backdoor?

First, let us be on the same page on what is a Backdoor. This is a method a hacker uses to bypass normal authentication in a website so that he can be able to access the server, while in the process, he remains undetected. This is what most smart hackers do by first uploading the back door, so even if you remove the breached plugin, the hacker can still regain access. Worse still is even if you do an upgrade, the backdoor will still remain, making your site vulnerable to hacking. Until when you clean the mess for good, the system is still vulnerable to hacking. How do you clean up the mess for good?

How a Hacker uses a Backdoor to Exploit your System

A back door allows a hacker to create hidden admin username so he/she can access the system. On the other hand, a more complex backdoor allows the hacker to run any PHP code send from the browser. Things get worse with a backdoor that features a full fledged user interface that allows a hacker to send emails that make one think they are coming from the server, run SQL queries and any other thing a hacker might think of. A hacker exploits a system by installing a backdoor in themes, plugins, uploads directory, Includes Folder, and wp-config.php.  Hackers install the back door in old and inactive themes so it can survive updates. People don’t upgrade plugins often and some plugins are coded poorly; this makes plugins a potential place for a hacker to hide a backdoor. How to hack a WordPress site shows you how hackers do this normally and this guide is for developers so they can be careful to install a plugin or upgrade a plugin.

How to Clean Up Backdoor for Good

In most cases, back doors are disguised to resemble a WordPress file. Check the wp-includes folder; a wp-user.php is a back door since it doesn’t exist in the normal install, the only user.php exists but not wp-user.php.  In the uploads folder, a file named hello.php is a back door disguised as the Hello Dolly plugin. It can also use names like wp-content.old.tmp, php5.php or data.php; it doesn’t mean that because it has a PHP code in it that it has to end with PHP. It can even be a .zip file. Encoded with base64 code to perform all manner of hacking operations including redirecting the main page to spammy sites, adding additional pages, and adding spam links

The good news is the current version of WordPress (version 3.4.2) has no known vulnerabilities. Therefore another way of defeat back doors is by upgrading to the latest version of WordPress at hand.