Is a ghoulish hacker haunting your site? Tell-tale signs include: Constantly getting hacked no matter how often you clean your site, and WordPress telling you there’s an extra admin account that isn’t actually listed.
OK, so maybe your site isn’t actually haunted… but it sure feels like it when your site has a mind of its own! What’s more likely is that you have a backdoor security exploit. Fortunately, there are many options for fixing it, no exorcism required.
In this post, we’ll look at what backdoor exploits are, how you can recover from one with the help of plugins, reasons why your site got hacked in the first place, and how to secure your site so it doesn’t happen again.
What is a Backdoor Exploit?
When your site is compromised and the hacker adds their own way to access your site and the admin dashboard whenever they want, it’s called a backdoor exploit. The key here is that the hacker can get into your site without gaining entry through the front-end login page.
It’s easier to remember when you think of your site as a house. Everyone you invite over is welcome to enter through the front door, just like your site’s login page. But when an intruder cuts out a door at the back of your house and creates their own key for the makeshift door, they can enter your house through this backdoor without you even knowing.
Similarly, a hacker can create a script that acts as a key. They inject it into your site creating their own backdoor so they can gain access whenever they want.
While regular users – along with site admins like yourself – would need to access your site through the login page, the hacker wouldn’t need to and this is how they’re able to access everything while going virtually undetected.
A hacker can use a program they created to systematically hack into your site, then they most commonly do one of a few things:
Upload or create a file in your WordPress site with the backdoor script enclosed
Add themselves as a hidden admin, often by piggybacking on your account
Execute PHP code that they send through a browser
Collect personal information for spam purposes
Change anything on your site for their own purposes, often for spamming
Send spam emails from your site to look like you are the one who sent it
If a file is added, it’s often named to look like it’s a legitimate file that’s a part of the WordPress core. The file could be named sunrise.php, php5.php, users-wp.php, wp-config.zip or something similar.
While details on detecting a backdoor is going to be covered later on, it may be important to note that some plugins do include a sunrise.php file, but your main clue that it’s a backdoor would be that the file isn’t located within a plugin folder and could be in the uploads folder, for example. By making the file seem normal, they can go on to infiltrating your site without being detected.
Typically, hackers add the backdoor file to your wp-includes and wp-content > themes, plugins or uploads folders, but may also change your wp-config.php file.
Just knowing a hacker could do all this to your site is terrifying and it’s a tough pill to swallow especially when you think your site and the WordPress core is bullet-proof because, well, isn’t it?
How Hackers Get Into Your Site
WordPress itself is secure, but there are ways a hacker can still get into your site. The reason for this is because improvements to the WordPress core are made on a regular basis, but sometimes these adjustments have unforeseen vulnerabilities.
These vulnerabilities act like plot holes in a movie. Most viewers probably won’t notice them as they enjoy the film, but other astute people will.
In WordPress, these bugs are often found through testing and squashed before it even gets to be applied to your site, but just like plot holes in a movie, sometimes they’re missed during the creation process before anyone can fix them.
Sometimes a new version of WordPress is made publicly available that has security holes in it. When hackers find these vulnerabilities, they’re able to exploit them to get into your site, although, when these threats are detected, the WordPress security team works on a patch and they’re included in the frequent security updates.
Even though security issues could be found, this doesn’t mean WordPress isn’t secure. If you keep it up to date, then it is secure since it won’t include any known vulnerabilities.
If you don’t regularly update your WordPress site, the security fixes aren’t applied and your site would still have the same vulnerabilities that came with the version of WordPress you’re using. A hacker could then use the security hole to get into your site.
Plugins and Themes
This also applies to plugins and themes. Sometimes, they also include vulnerabilities and unless you update them regularly, the bugs won’t be squashed and a hacker could use them to burrow into your site and gain unauthorized entry.
Not all themes and plugins are made equal as well since they’re all created by independent developers or companies. While there’s a screening process a plugin or theme needs to go through to be publicly accessible through the official WordPress directories, a hacker could inject malicious scripts into them after the fact and it would be released to all the users.
Some plugins or themes could be released even though they’re not coded well. While the screening process includes a list of best practices that a submission has to pass in order to be accepted, it’s more of a bare minimum requirement and it’s highly recommended that submitted plugins and themes exceed all the expectations.
While so many plugin and theme authors pass with flying colors, not all of them do. Regardless, the submission is passed on to the public. This is why it’s incredibly important to only download and use plugins and themes from developers and companies you trust and that have a good reputation overall.
While vulnerabilities are often found in plugins and themes, it’s usually because there’s no shortage of hackers to find these security holes in order to exploit them. Most developers and companies jump to work to fix the bug and release a patch quickly and these are the authors you can trust.
Even still, most developers submit plugins and themes on a volunteer basis and taking care of regular maintenance is something they can only afford do on their spare time, after their day job. This does mean a vulnerability could go on without being fixed for a while and this is when you would need to find an alternative that would still be suitable for your specific needs.
The Need for Speed … and Security
It’s important to keep your plugins, themes and site fully up-to-date, but it’s not enough to do this at your leisure. As soon as an update becomes available, you need to upgrade as soon as humanly possible. The longer you wait to do it, the longer a hacker has to find out your site is vulnerable and attack it.
While keeping your entire site up-to-date is crucial, it’s not the only security measure you should take. Hardening your site’s security is another important step. This means taking extra security precautions to ensure your site stays safe.
This can include installing a security plugin like Defender, making manual changes to your site or using strong passwords to only name a few.
If you don’t harden your site’s security, you could leave your site wide open for hackers to easily saunter through, especially if you’re using passwords that are easily guessable such as “password,” “wordpress123,” or “adminpass.” Using an insecure password like these would be the equivalent of leaving a key hung to the door knob of your house.
Bottom line: Not following security best practices or neglecting to keep your site, plugins and themes up-to-date can ultimately lead to your site being compromized with a backdoor exploit.
Disaster Recovery Plan
If you find you suspect your site has been hacked with a backdoor exploit, there are ways of checking, but before you do, you should make a full backup of your site. Even though your site could be hacked, there’s still a chance things could get worse before they get better.
Having a backup can be helpful. If you accidentally make a mistake while doing some detective work, your backup acts as your fail safe.
You can restore your site back to the point where you started and continue investigating from there as if nothing else happened. If you don’t have a current backup solution, you ought to take a look at some options.
Once you have your backup, you can do some detective work and check for backdoors by looking for some telltale signs.
A Bug’s Birth Announcement
First and foremost, try to find announcements of recent vulnerabilities in the WordPress core, plugins or themes from either the developers themselves or from security blogs such as the ones on the WordFence and Sucuri sites. You could also sign up for email updates such as for our own WhiP newsletter to get notified of any recent security issues.
You could also check out the WordPress Trac site for open tickets relating to any plugins or themes you have installed as well as for WordPress itself.
If you see information about a vulnerability that could relate to you, look into it and see if there’s a solution.
Does Your Site Look Hacked?
In the event you don’t find anything, try clearing your cache and cookies, then visiting your site. If you’re like me and you don’t want to live without your passwords being automatically saved to the login forms on all the sites you visit, you can use a different browser or open an incognito tab in Chrome.
If there’s a message letting you know it’s not safe to proceed to the site, then that’s your first clue.
This could be a case of your SSL certificate not working properly. If you see a yellow or red padlock next to the URL in your browser’s address bar, click on it to see the specific error message.
If your certificate has expired or invalid, it could be an issue with your SSL certificate that can be fixed. Our post How to Use SSL and HTTPS with WordPress has details on what to do to solve certificate errors.
If you see an error message warning you that the certificate isn’t trusted or you don’t have SSL encryption installed, then you may have been hacked. The next step in your investigation would be to try to look through your site and see if you see any spam in your comments, but especially in your posts or pages.
Also, try visiting one of your posts and copy the link. Open Facebook and paste the link into the status form. Instead of posting the link, wait for the site preview to load. If the description looks like spam, then a hacker has placed it into your site’s header script.
Checking for Ghost Users
Even if you find spam all over your site, your detective work isn’t over yet. Go to Users > All Users in your admin dashboard.
At the top of the page, look at the total number of admin or super admin users you should have, then look for them on the list.
If there’s at least one extra admin account that’s not on the list, then you have a backdoor exploit.
Take the image on the left for example, if (2) is shown next to Super Admins, but there’s only one listed on the page, then the hacker has created an extra hidden user.
Be sure to also check the total number of users displayed at the top with all the users on the list. The hacker may have created an account with a different user role as to not arouse suspicion. Even is this is the case, the backdoor could still grant them access to everything.
You can also try logging into the admin dashboard. If this isn’t possible even if you try recovering your password, then that’s another sign you have been hacked.
There’s one last place you need to check and that’s in your site’s files.
In cPanel, go to Files > File Manager and check the files you have listed as a part of your site against the WordPress Files list in the Codex. If you see anything that isn’t supposed to be there, view the file’s contents safely by clicking on the file on the list, then selecting Edit at the top of the page.
View the code in the file. If you see a script that doesn’t look familiar to WordPress, you have likely found a backdoor. You may be able to tell by looking for a line that looks similar to eval($_POST['hacker-key']); or eval(base64_decode("hacker-key")); where hacker-key is a string of letters, numbers and characters. These can be signs of a hacked site and a backdoor.
In some cases, this kind of code may be used in plugins, for example, but most of the time, it’s a sign of a hacked site. These kinds of code let a hacker inject scripts into your site.
Delete the backdoor file and search for any other like it. Hackers often place many of these among your regular files so there’s more of a chance you miss one and leave it for them to use later.
Now, download a fresh copy of WordPress to your computer from WordPress.org. Extract it and compare each clean file to the files in your public-facing site. If you see any major differences, upload a fresh copy of the file to your server while replacing the old one.
You should also do this with all the plugin and theme files as well.
Conducting a Search via SSH
I know, searching through each any every file is tedious, to say the least, and there’s an easier way which is to conduct a search of your site via SSH. (A search warrant isn’t required.)
Please keep in mind that the commands below may not work for all SSH clients or all types of servers so if it doesn’t work for you, check out your SSH client’s documentation or the official site for your server-type.
Once you’re logged into your favorite SSH client like Terminal for Mac or PuTTY for Windows, you can search for possible problem files with a command similar to this one:
This will check all PHP files in your site that have been modified in the last 30 days. Just be sure to replace /path/to/your-site with the actual path to your site as you probably can imagine. You can also change php to a different file extension to search more thoroughly.
Once you find files that have been modified, sift through the list and find ones that you know you didn’t modify yourself and make a note of them, Once you have a complete list, you can search each of these files for malicious code.
Go to the directory the first file is in on your list with the cd ~/folder-name/ command, where folder-name is the name of the directory the file is in. Then, enter vi name.php to view the file’s contents. Don’t forget to replace name with the real name of the file.
From here, you can compare the file with a fresh one to see if any changes have been made. If needed, you can edit the file and enter :wp to save and quit. You can also quit with :q and delete the entire file by entering rm -rf name.php and replacing name with the actual file’s name.
If you noticed that there’s an extra admin account that’s not actually listed with a username in your back end, you can find the hidden account or user in your database.
Log into your phpMyAdmin account and click your site’s database from the list on the left, then click on the wp_users table. A list of the user accounts should load for you.
Check if any of the accounts shouldn’t be there. If you find one, click the Delete button to remove it. If not, click the wp_sitemeta table on the left since you need to check each of the user’s data that’s listed for signs of tampering.
Check the site_admins field and look for an unknown username listed. If you have a hidden admin account created by a hacker, you should see something similar to this:
The hacker part would be any admin username you don’t recognize. To get rid of the admin account, click Edit next to the site_admin field and delete the portion that the hacker added until it looks similar to the example below:
If you already had more than one admin account, and there was an extra one tagged along, then you can safely delete the i:1;s:6:"hacker"; portion of the field, keeping in mind that the hacker username may be different.
Once you have made the changes you need, make sure Save is selected in the drop-down box at the bottom of the page and click the Go button. The hacker’s account is gone, but you should still
The hacker’s account would be gone at this point, but you should still do a thorough check on your site since there are other changes the hacker could have made.
The Roadrunner’s Quickest Solution
All these search tips aren’t an exhaustive list of files and code you should look out for, plus it’s an exhausting task. Be ready to clear your day.
For most people, this just won’t do and that’s why using a plugin to do the searching for you can be of enormous help here. You can scroll down for a list of plugins and you can pick the one you’re most comfortable with to install on your site.
Doing a Clean Sweep of Your Site
Sure, these steps help to clean your site, but sometimes the best way to really be sure the backdoor exploit is gone is by just starting fresh. If you delete everything and start over from scratch, you can rest easy knowing your site is hacker and backdoor-free.
These are the easiest and best options, but you could also use plugins to clean your site quickly if these options just aren’t possible for you.
Make Quick Work of Cleaning
Using a plugin to search your site for traces of a hacker is the best and easiest option if you need to keep your site otherwise intact. Here are some excellent plugins you can choose from to automatically search your site and notify you of any changes.
If the plugin detects something fishy, it should let you know and even offer to fix it for you.
These free and premium plugins should work great on both single and Multisite installations of WordPress. They’re also updated frequently to ensure you site stays secure.
Once installed and activated, you can run a scan and see if there are any files that aren’t a part of the WordPress core. You can also see which core files on your site are different when compared to a clean copy.
You can see what files have been corrupted first hand on either you single WordPress install or on all the sites in your Multisite network. When you activate Defender network-wide, you won’t have to worry about manually checking all your subsites after you have checked your main one.
This plugin is also easy to install and configure. It also tells you how you can up your game and smack down security threats. In a few clicks, your site or network’s security can be hardened and prepared to block future attacks.
The best part is if you’re currently a WPMU DEV member, Defender is already included in your subscription. If you’re not a member yet, you can try out Defender and all WPMU DEV plugins and themes for free with our 14-day trial.
The Sucuri Security plugin can check your site for malware and hacks, then clean your site so it’s good as new. It also includes a lot of comprehensive features such as an SSL certificate, firewall protection as well as protection against new incoming threats.
iThemes Security can detect and clean up corrupted files in a couple clicks and it can also protect you from new attacks including ones of the brute force variety.
You can also increase the overall security of your site with cool features such as hiding the standard login page, changing the WordPress security keys and the option to bundle full site backups.
It’s a premium plugin that’s also Multisite compatible so you can protect your entire network. If you would like to give it a test drive, you can download it for free (with some limitations) from the WordPress plugin repository or check out our iThemes Security review of the free version.
BulletProof Security is a free plugin that can scan your files for issues and quarantine them so the rest of your site doesn’t go kablooey before you can fix the problem. It also does a great job of protecting your site and includes firewall protection.
It’s Multisite compatible and is incredibly easy to set up. The setup could even be considered as being easier than installing it – and adding it to your site is as straightforward as most other plugins.
This plugin is free and it doesn’t have a premium version so you can be sure that you’re not going to be limited when it comes to functionality. As the name suggests, it includes firewall protection and also protects both your site’s files and database.
It can scan your site for threats and also protect you from the latest threats. It checks for changes in your files and database while also notifying you if changes were detected. All in One WP Security and Firewall does a great job of protecting your site, but it may be at its best when installed on a clean site, although, if you disagree, please let me know why you love it for cleaning up a hacked site in the comments below.
This plugin is as easy to install as any typical plugin, but it’s best for single WordPress installs.
Shield WordPress Security is a free plugin that includes protection from the latest threats and also includes a firewall. Its settings are also easy peasy so you won’t have to worry about accidentally breaking your site by accident.
The cool thing about this plugin is that it’s also a spam-fighting, automatic-updating machine. You won’t have to worry about installing separate plugins for spam comment blocking or for automating updates since having too many plugins on your site can cause it to be slow.
It’s best to use this plugin on single installs of WordPress, but it sure does install easily.
Keeping Your Site Secure
Once your site is all cleaned up and your hacker’s out of there without a trace, it’s still important to keep an eye on your site regularly to make sure your site isn’t hacked again.
Apart from keeping your site, the trusted themes and plugins you’re using updated regularly, you should install a security plugin if you haven’t already. It can automatically check your site on a regular basis and notify you and even block incoming threats.
Once you have a security plugin installed, you shouldn’t have to worry about hackers breaking into your site again, ghost or otherwise.
Have you ever been hacked and was it with a backdoor exploit or something else? Have you been able to recover after being hacked? What did you do? What do you consider to be your best tips on cleaning your site and detecting a backdoor exploit? Feel free to share your experience in the comments below.