How to Find and Fix the Backdoor in Hacked WordPress

How to Find and Fix the Backdoor in Hacked WordPress

If your website gets hacked in one day, you can easily bring it back to the normal situation using the latest backup file. However, what if the site is hacked again in the next day? This is possible if you fail to clean the backdoor properly, from which the hackers can get back into your site without much hassle.

In this case, we’d like to come out some tips about how to find and fix the backdoor after you fixing the hacking issues of your WordPress site, finishing the recovery practice in a thorough manner.

General Knowledge about Backdoor

To put it simply, the backdoor can be regarded as a hacking method used by hackers to bypass the common authentication of your website, with which these bad guys can access your back-end and server without being detected, create the username that is hidden for hackers, execute the PHP code and SQL queries and many more.

Besides, once the backdoor is uploaded into your site, it can hardly be found and removed even if you delete some breached plugins or make the update of your whole site. Unless you find the true mess and clean the backdoor thoroughly, hackers can still gain the access and your site is always vulnerable to the potential dangers.

How to Find and Fix the Backdoor

BackdoorFor all the cases we know, the WordPress backdoor simply looks like a file. To clean up the backdoor, you just need to remove the file. The process is easy, but the hard part is where to find this kind of suspicious file which is stored in a random directory or folder.

Here, we have listed all the common locations that the backdoor can be installed on your WordPress site, along with some other methods to deal with the WordPress backdoor.

Check the Files of Your WordPress Plugins

The plugin folder is the first target you should check. After all, hackers need to find the exploit for the uploading of backdoor files, and plugins are the best options. To check this part, you should go through the following steps.

  • Check your plugin folder using the File Manage or FTP account to figure out whether there are some strange files stored. Once find, remove them immediately. In earlier days, we have found a PHP file named as index-php.php in this folder. As this should not exist with the normal installation but the index.php file instead, we delete it at once from our site.
  • Delete all the free plugins that are not downloaded from the official WordPress Plugin Directory. After all, you cannot ensure that these plugins are not poorly coded and may have the hidden backdoor files that you do not know.
  • Update the rest plugins that you think are risk-free. Or, it is highly recommended to delete them and install the latest versions from the scratch.

WordPress Plugins

Figure Out Your Website Templates

In fact, the backdoor is usually not in your currently used WordPress theme, but in some inactive ones. After all, many webmasters do not have the habit to update the unused templates, thus, the backdoor files can survive the major upgrades easily.

In this case, once your website is hacked, we sincerely recommend you to remove all the inactive themes, including the default and classic WordPress themes. Even, you do not need to check out the theme files to figure out the suspicious targets. Just remove them to eliminate the potential attacks.

Check the wp-config.php File

This is the configuration file for your WordPress site, which is highly targeted by bad guys. To figure out whether this file is uploaded with the backdoor, you simply need to compare it with the default WordPress configuration file. If there is something strange and out of the box, you need to get rid of it at once.

Check Your Upload Directory

We can confirm that more than 99% of you will never check the upload directory. After all, you just upload the images, videos, audios and many other media into this directory, and use them in your posts and pages. After that, none of you will go back to check this directory.

In this case, hackers are likely to upload the backdoor in your upload directory, and have it buried among hundreds or even thousands of files for media.

As for how to check the upload directory, it is time-consuming to figure out the files one by one, especially when your site is a large one. Due to this, we highly recommend you to run the following command.

Command to Check Upload Directory

Here, you need to know the fact that this directory is for media files, so it is strange to find a PHP file. Once fine one, it is likely to be the backing backdoor.

Upload Directory

Check the wp-includes Folder

This is another common folder used for hackers to upload the backdoor. In the earlier days, we have checked a website owned by one of our loyal readers, and have found a strange wp-user.php file in the wp-includes folder. But in the common situation, there is only the user.php file available, so this suspicious file must be the backdoor that needs to be removed.

Another example is that you may find the PHP files for a plugin or a template with the right file names. However, you need to know that these files can only be found in the wp-content folder. If they are in this folder, they must be deleted.

Also, it is possible for you to find some odd PHP files, such as database.php and php6.php. In most cases, these files contain the base64 coding that may add bad webpages to your site, insert spam links to your blog posts, redirect your homepage to some spam pages and many other bad operations.

Make Use of the Sucuri Plugin

To be frank, fixing the backdoor simply requires you to make some clicks of your mouse, but the hard part is how to find it. The above-mentioned locations are commonly used by hackers, but we cannot ensure that the other parts of your site are risk-free.

In this case, we highly recommend you to try the pro version of Sucuri, which has some techniques for the detection of the hacking backdoor.


  • This tool has a large White List that contains all the core files for WordPress and the popular plugins and templates. Therefore, it can figure out whether these files are added and modified in a right way, leaving no chances for hackers to upload the backdoor.
  • There is also a Black List available, which contains thousands of backdoors and the suspicious variations. In this case, once your site is scanned using this tool, the available backdoor can be detected easily.
  • If the hacker inserts a new backdoor that fails to be reported into the Black List, Sucuri will start the anomaly check automatically. Then, all the strange files can be analyzed and inspected to figure out whether they are the backdoor for the hacking practice.

Restart Your WordPress Site

This is the last recommended method for the fixing of the backdoor. If you want to be ensured that your website is 100% secure, with no backdoor and vulnerabilities, you can just delete your current site and start it with a new installation of WordPress.

This may not be suitable for all the webmasters, but once you decide to do it, do not forget to have a full backup of your website content in advance, in the case of data loss due to some unexpected situations.