What Are Website Backdoors & How to Find Them?

Jun 29, 2018

What Are Website Backdoors & How to Find Them?

Jun 29, 2018

Is your website hacked again even after you’ve cleaned it? Recurring hacks are caused due to backdoors present on your website.

After gaining access to your website, the first thing hackers do is ensure that they can access your site whenever they want to. Hence they plant a type of malware on your website called a backdoor.

As long as a backdoor is present on your site, hackers can keep accessing it whenever he pleases.

Recurring hacks can have a devastating impact on your website. It can slow your site down, drive away visitors, and impact your revenue collection. Moreover, Google and hosting providers take strict action against hacked websites.

Before any of these can happen, you need to remove backdoors from your site.

This type of malware is hidden very well making it hard for a developer or even a scanner to detect it. That is why, in this post, we are going to show you how you can identify backdoors.

What is a Backdoor on a Website?

Backdoors are hidden entry points that offer unrestricted access to your website. It allows hackers to access all your website’s files and folders and it is very important step in hardening websites security..

Backdoors are often hidden so well that even measures like cleaning your website, updating and hardening your site don’t work and backdoors remain on your site.


Different Types of Backdoors

There are three different types of backdoors found on WordPress websites.

    • Complex Backdoors: These are multi-liner codes that could be easy to spot by a trained eye. Such backdoors are complex and relatively easy to distinguish. But sometimes hackers obfuscate the code to make it hard for malware scanners to detect it.


Complex wordpress Backdoors

    • Simple Backdoors: These are one-liner shortcodes that look rather innocent and very difficult to identify.


Simple wordpress Backdoors

    • CMS Specific Backdoors: Hackers tailor their coding according to the CMS or content management systems. They represent a builtin backdoor that are specific only to WordPress and will not be found on any other platform such as Joomla or Drupal.


Why Are Backdoors So Hard to Find?

There are two main reasons why backdoors are hard to detect. Those are:

Backdoors Look Like Normal PHP Codes

Backdoors can be hard to identify because they often look like a normal PHP code. Moreover, hackers can make it obscure so that it goes undetected by scanners. Only a very powerful scanner can comb through all the WordPress files and distinguish a backdoor file from a regular code or file.

Not just that, some functions used in malicious backdoor are also used in plugins. So there’s a good possibility that a scanner may end up marking a good piece of code as a backdoor. Deleting the code could the plugin to malfunction which can break certain functions on your website.

Backdoors Can Be Hidden Anywhere

Backdoors can be a standalone file or short line of code placed inside a valid file.

A WordPress website consists of hundreds of thousands of files and folders. The malicious code can be present anywhere on your website. If you are searching for it manually, you’d have to be familiar with all the files and folders on your website to spot a difference.

That said, there are a few specific locations that hackers are known to hide backdoors and you can learn about that in this section.


How to Find Backdoors in a WordPress Website?

While backdoors can be present anywhere on your website, there are three WordPress folders where backdoor malware is generally found. Those are the plugins folder, themes folder, and the upload folder.

1. Plugins & Themes Folders

One of the biggest highlights of building a website on WordPress is that you can use plugins and themes to design your site to meet your needs. But on the other hand, plugins and themes are also the biggest reason why WordPress sites are hacked.

Like any other software, themes, and plugins develop vulnerabilities. When developers learn about the vulnerabilities, they quickly release a patch via an update. Many website owners skip updates leaving their website vulnerable to a hack attack like brute force attacks, phishing attacks, etc.

When a hacker gains access to your site using a vulnerable theme or plugin, one of the first things they do is create a backdoor in the vulnerable theme or plugin. So if you have outdated software installed on your website, consider investigating them.

How to Investigate Vulnerable Plugins & Themes For Backdoors?

1. Sometimes hackers build a new plugin, inject it with a backdoor and then install it on your website. So if you find a plugin or a theme that you don’t remember installing, remove it.

2. If you are using a pirated theme or plugin, remove it. Pirated software is often infected with malware which is why we strongly advocate not to use nulled WordPress themes and plugins.

3. Backdoors can be hidden in the plugins or themes folder of your WordPress website. You can access the folders by logging into your hosting account.

From your hosting account, go to File Manager > public_html > wp-content and then select plugins/themes folder.

plugins and themes folder in file manager

As we mentioned in the previous section, backdoors can be a few lines of malicious codes sneakily added to your files or it could be a whole new file. You have to be familiar with the files and folders to be able to spot a rogue file or a piece of unfamiliar code.

This is hard and nearly impossible for websites that have a large number of plugins and themes.

Besides the plugins and themes folder, another folder where hackers hide website backdoor is the Uploads folder.

2. Uploads Folder

As the name suggests, the upload folder consists of files uploaded into the website which mainly includes images and pdfs.

Hackers choose to hide backdoors in this particular folder because website owners don’t generally access this folder.

uploads folder in file manager

You can access the folders by logging into your hosting account. From your account, go to File Manager > public_html > wp-content and then select uploads folder.

A very old website will have hundreds and thousands of images and pdfs. It makes it easy to hide malicious files in this specific folder.

Therefore, finding backdoors manually in the upload folder is going to be time-consuming and a very difficult job.

Pro Tip: If you still want to go ahead and try finding backdoors manually, then we recommend taking a complete backup of your website. Download the backup copy on your computer and then investigate the files.

We warn you against fiddling with files and folders of your live website. It’s a risky business. Small mistakes can lead to a broken website.

How To Identify a Backdoor?

For an untrained eye, it’s going to be impossible to spot backdoors. So if you are inclined to scan the folders manually, then we recommend hiring a developer who is familiar with backdoor attacks and WordPress files.

Alternatively, you can use a WordPress malware scanning plugin to investigate your files and detect backdoors within a few minutes.

Found Backdoors? Now What?

After locating backdoors, you’d want to perform malware removal. We have a guide that can help you do just that – How to Remove WordPress Backdoors?


Final Thoughts

Having your WordPress hacked once is bad enough, but to experience it over and over again is a nightmare! Backdoors are not only frustrating, but they are also extremely harmful to your site.

While removing backdoors can ensure your website is safe but there is no guarantee that it’ll remain safe in the future. You have to take measures to ensure that your website is protected from hackers and bots. A security plugin is a perfect tool to help prevent backdoors and protect your website from hack attempts.

A WordPress security plugin like MalCare enables a website firewall to filter out bad traffic. It scans your site on a daily basis and enables users to take site hardening measures. If your website is hacked, MalCare will help clean your website is a jiffy.

Try MalCare Security Plugin Right Now!

backdoor website
Share via
Copy link