Detecting and Removing Backdoors From a Hacked WP Website
Having your website hacked is not a pleasant experience. If you open your site and are being redirected to inappropriate sites, traffic plummets, getting blacklisted by search engines, browsers, and major antivirus software all point to one common thing; that is your site is hacked. If not blacklisted from search engines, then opening up your website in Chrome might display a notice “Site May Be Hacked” on the browser page. In a nutshell, it is a nightmare of an experience. Today, I plan to talk about how you can get away with it.
Thousands of WordPress websites get hacked every year. These hacks are not because the CMS is insecure. It is mostly the fault of the website owners, who might have used a weak password or have failed to update the software when a security update gets released. Not to overstate the obvious, but if you chose to self-host your website, you are responsible for keeping it up to date.
Although, there are many other reasons for a website to get hacked, however, an outdated version of WordPress or a WP plugin/theme is one of the key reason.
Getting hacked is one thing that I have talked a lot about in this security series. Another more pressing issue is that of backdoors. In this post, I will talk about what is a backdoor and how to detect and remove backdoors from a WordPress site to make your sites secure again.
Why WordPress Sites Are Hacked?
Throughout this security series, I’ve been persistently highlighting about the factors which may lead to a hacked website. A weak password, bad hosting service, outdated WordPress or WP plugins and themes, poorly coded plugins all of which are some of the major reasons of sites getting hacked. For any website, security is of paramount importance. But with intelligent security strategy, all these threats can be very easily prevented.
Here are some interesting yet scary statistics by WPWhiteSecurity.com:
- In 2012, more than 170,000 WordPress-based websites were hacked
- Out of 170,000, 41% were hacked due to poor web host
- In 2013, of 40,000 WordPress websites in Alexa top 1 million, 70% were vulnerable to be hacked
- Out of those 40,000 websites, 30.95% were using a vulnerable version of WordPress i.e. 3.6. As of this writing, more than 10% websites are on version 3.x
So, based on the points mentioned above, the best tip to stay secure is keeping WordPress and its plugins up to date. From time to time, security loopholes are discovered which are fixed by releasing a new version of the CMS or the product. If you do not update your site to the new version, your site will be vulnerable to security loopholes from the old version.
What Is a Backdoor?
A backdoor is a hidden method of gaining access to WordPress dashboard bypassing normal authentication. Backdoors are special because they allow admin access even after the vulnerable point that led to hacking has been fixed. As soon as hackers exploit a vulnerability, they create backdoors for future access. This way, backdoors survive patches or WordPress updates too. Backdoors can be plenty harmful as they allow hackers to sneak back in undetected.
Types of Backdoors
In most cases, you won’t even know if a backdoor exists unless the hacker has defaced or taken the site down. Therefore, smart hackers don’t use the site itself . Instead, they use the server to send spam. There are different types of backdoors. Some let PHP code be executed through a web browser. Others employ to execute SQL queries, send emails through server or use DNS to do the damage.
Locations Where Hackers Hide Malicious Code
The first step in detecting a backdoor is to know where it might be uploaded. Following are the most common hideouts for backdoors.
Inactive Themes and Plugins
Malicious code is not probably found in the active theme and plugins. Hackers usually upload backdoors to inactive themes and plugins. Most users don’t bother updating inactive themes, so are strung hard as a result of the backdoor. This is why you should never keep inactive and idle themes or plugins on your site — which you do not use. Thus outdated inactive themes and plugins are especially an easy target.
Tell me the last time you browsed this directory from its head to toe. Never, right? Most people know that this is the place where all media files are stored. In an average WordPress installation, uploads directory contains thousands of files. So, it’s rare that you will ever check this directory entirely. It is very easy for uploads directory to be targeted for two reasons.
- One, no one ever bothers checking this directory.
- Second, this directory is writable, so it can used to execute malicious codes.
The wp-config.php File
The wp-config.php is the most critical file in a WordPress installation. It contains database connection details as well as certain installation parameters. Hackers also like to put backdoors in this file. Make sure you check that as well as while you are at it update the site salts.
The wp-includes Directory
The wp-includes dir is a core WordPress installation directory. Sometimes hackers use it to upload their backdoors. The problem is that unlike uploads directory, this folder contains mostly .php files. So you can’t differentiate unusual files from the original ones unless you know all core files by name. Some hackers name their malicious file to make it sound like a core file. Or some even affect the core files where you should check the security hash of these files.
Detecting and Removing a Backdoor
A backdoor lets unauthorized people access the WordPress undetected. A vulnerable plugin, theme or outdated installation could let the hacker in and create backdoors. So even after you clean up the mess and update everything, the backdoor can still be used to regain access to the site. Unless you get rid of backdoor, you are still vulnerable to more hacking attempts.
The hard part of getting rid of a backdoor is detecting it. How do you find it in the first place? How do you clean up the site? Here are some ways of doing it:
Scan the Files and Database
Use the Exploit Scanner plugin to find the presence of malicious code. This plugin, however, won’t itself remove any code or file. That is totally on the user to do. It also looks for base64 (used for notorious tasks) through files and database. Plugins also use base64 to accomplish various tasks. Which BTW is a bad practice! You should not be using any such plugin/theme.
So if you are not a plugin developer, better not to mess with plugins by deleting their base64 code. You can also use Sucuri (their premium service) to scan your site for malware. Sucuri is the most trusted name in the community. Not only will they detect the backdoor, but they will also close it down for you.
Delete All Inactive Themes
What’s the point of keeping themes you don’t use? They just make good prey for hackers. Instead, delete inactive themes right away. Even default themes like Twenty Thirteen and Twenty Sixteen are pointless to keep. Once you delete all inactive themes, scan your site again. If one of your inactive themes had the backdoor, it is gone. So your site should be clean. If your website is still getting infected, try out other methods in this post.
Delete All Plugins
The Exploit Scanner plugin can tell you where is the malicious code hidden, and you can delete it. But, the only risk associated with it is to ensure that you are deleting the right file, and not breaking your site down.
A better decision would be to delete all the plugins. Yes delete all the plugins and install fresh copies of each one of them again. This way, you can guarantee site’s clean state afterward. To make sure all plugins are deleted, check the wp-content/plugins directory.
You may wonder why I am not suggesting you to update the outdated plugins? Let me tell you another interesting fact here then i.e. sometimes backdoors remain unaffected from updates. Hence, deleting the outdated plugins wouldn’t do much good.
Fix wp-config.php File
Your wp-config.php file might contain malicious codes as well. To make sure it is fine, compare its contents with the wp-config-sample.php. If you find anything out of the ordinary, get rid of it right away. It is advised that you consult with a security consultant here.
Inspect Uploads Directory
Uploads directory mostly has no items other than the media files. So while inspecting, if you find a .php file hidden inside the upload folders, better get rid of it. Such .php files might contain the malicious code that’s letting hackers in. Since most users don’t regularly check this directory, hackers upload the backdoors here.
Careful there, if you use caching plugin or a custom framework, such plugins also put their caching related files in there. It’s better to consult with the developers or find a security consultant if don’t know what you are doing.
Delete .htaccess File
.htaccess is the second most important file after the wp-config.php. Hackers may put their codes in there to create backdoors. To make sure it is clean, just delete it. Don’t worry; it is a file that automatically regenerates itself with the default content. If it is not recreated, go to Settings > Permalinks, and save the settings.
Careful there, this can prove to be a site breaking suggestion. Have your backup ready to be restored in case something screw ups.
The finest solution for beginners is to use a security service like Sucuri. Sucuri provides solutions to secure WordPress sites. They perform regular scans of your WordPress site to make sure it is clean of malware. Sucuri also has a website firewall, which prevents hacks to a great extent. If your site has a backdoor, hire them to fix it.
Do Take Backups
There are Updraft Plus, BackupBuddy, CodeGuard, VaultPress and many other backup services. These services allow you to take backups of your site and its database. That way, if your site gets hacked, you can easily restore it from an earlier point in time when it was clean. It is the most overlooked advice regarding website security. Most of the said backup solutions may take 10-20 minutes to set up. You can also use a free plugin like BackWPup to create backups.
When it comes to website security, you should never hesitate to make an investment. A hacked website can always be recovered, but that is not the point. The point is your website’s reputation — once it is tarnished, you won’t get it back.
Hackers use your server to send spam, redirect your site to inappropriate sites and consequently, you are blacklisted by search engines and major antiviruses. This hurts both website brand and your credibility.
I’d again like to advise you to hire a security consultant for this kind of stuff. I have an interesting post coming up at the end of this series where I will talk about what you can expect from security consultants.
Has your site ever been hacked? How did you manage to handle the situation? Let us know in the comments. There are always so many interesting and insightful stories there.
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.