How to Scan Backdoors of Your Hacked WordPress Site?

Are you looking for a Backdoor scanner?

Finding out that your website is hacked is a terrible thing. Once your site is compromised, hackers use it to execute malicious activities or redirect your visitors to their website. Not just that, when Google finds out about your hacked site, it blacklists your site and even your hosting provider suspends it.

Clearly, getting your website hacked once is hard enough, getting it hacked over and over is a nightmare. You are not alone in this. Of the hundreds and thousands of hacked WordPress sites that we have investigated in the past decade, over 75% had at least one backdoor installed on them. In this article, we will explain how to scan malware and find backdoors on your website.

TL;DR: If you have backdoors and are looking to just clean the infection and fix the site, you can install our WordPress Backdoor Removal (MalCare). It’ll instantly clean your site and get it back up and running in no time.

Why Do Hackers Create Backdoors?

Studies reveal that vulnerabilities in plugins are a major reason why WordPress websites are hacked. After gaining access to your website, hackers quietly install a backdoor which is nothing but a malicious code. Backdoors are small and hidden and it grants hackers an entry point to the site in the future. They also make sure that the backdoors are really difficult to find.

Why Are Backdoors So Hard to Find?

It can be located anywhere on the website, from your WordPress files to your database. It’s designed in a way that makes it hard to identify and can easily be confused as a non-malicious code. There can be more than one backdoor on a website and finding them manually is like looking for a needle in a haystack.

Finding a hidden backdoor is like looking for a needle in a haystack. Only a very powerful scanner can plunge its hands deep enough to find it. Click To Tweet

How to find malware and backdoors on a WordPress website?

As mentioned above backdoors are complex and tend to be well hidden. Hence we need very powerful tools to identify these backdoors. We can try and do manual scanning. This may save some money, but there is a high chance that we will miss some of them. Even if we miss one, the hacker will exploit it to reinfect your site, bringing you back to square one. Besides, the hacker may have left behind other types of malware. Identifying and removing the backdoors alone won’t make your website hack-free.

On top of all this, there are chances of making mistakes. When you consider all these, scanning and cleaning backdoors should better be handled by a security plugin. Now, the next step is to choose a good WordPress security plugin.

backdoor malware
Example of a backdoor found on one of our client websites.

The whole point of injecting backdoors is so that hackers can sneak into your site undetected. They take extra care to hide the backdoor, making it really difficult to locate or even identify them. Only a powerful malware scanner can find hidden backdoors.

Hackers are always looking for vulnerable websites that they can break into and exploit. If you suspect that your website is hacked and infected with a backdoor, you need to fix your website immediately. You can use a security plugin to fix your site.

A WordPress security plugin performs 3 basic tasks – scanning, cleaning, and prevention. But not all plugins scan, clean, or protect the same way. Some do a better job than the others. In the next section, we’ll show you a powerful malware scanner and cleaner using which you can scan and clean backdoors.

Using a Backdoor Scanner

If you are searching for a really good backdoor scanner, look into how they are scanning. Some scanners only skim through the site looking for known malware or backdoors, and others go deep looking for new, complex, and hidden malware. A deep scanner like MalCare goes above and beyond looking for hidden malware. The scanner analyses the pattern of codes and checks its behavior to identify if a code is malicious or not. This ensures that they are not marking any good code as a backdoor, which is something many security plugins do. Let’s see how the website scanner performs –

To scan a hacked WordPress site, install the active security plugin. Then add your site to the MalCare dashboard. The tool will start its first scan, which may take a while. But once the process is complete, it’ll notify you if the scanner has detected malware. Backdoors are a form of malware.

MalCare not only scans for backdoors but also detects all other malware that could be present on your site.

MalCare backdoor scanner
151 hacked files (both backdoors & malware) we found on a website by MalCare’s powerful scanner.

After all malware and backdoors are detected, the next obvious step is to remove them.

Generally, to clean a hacked website, you’ll need to get in touch with the security plugin provider and give them wp-admin access to your website. To be honest, it’s not the best way to go about solving this issue. Giving access to a stranger is never a good idea from a security standpoint. Moreover, most security plugins take something between 24 hours a few days to remove malicious codes from your website. It’s in your best interest to clean your website at the earliest before Google gets a chance to blacklist your site.

If you are seeking to remove backdoors instantly, MalCare is your best bet. It offers a WordPress malware removal which you can initiate yourself by selecting Auto Clean. Within a few minutes, it removes all backdoor and malware without you having to break a sweat.

MalCare's backdoor removal
Backdoors can be removed with MalCare’s one-click malware removal.

Preventing Future Backdoor Hacks

Removing the backdoor is a temporary solution. Your website can be hacked again, and someone can inject a backdoor into your website, which will cause the same problems all over again. The key to breaking this cycle is to find out how your website is being hacked and then fix it.

Three things could have caused the hack –

  1. Vulnerable plugins & themes
  2. Web host was hacked
  3. Using weak credentials

1. Remove plugins & themes

You must have noticed how frequently plugins and themes receive updates. Updates help improve performance, add new features, and most importantly fix bugs or security issues. The frequency of updates can be hard to keep up with, especially for those running dozens of websites. If there is a security flaw in the plugin or theme, and you failed to update it, it leaves your site vulnerable to hackers (recommended read – WordPress updates). Update all your themes and plugins right away.Also scan your site themes and plugins regularly for malware. In the future, it’s better to make a habit of updating your website once or twice every week. If that’s a bit too much for you to handle, then consider hiring a WordPress management service.

If you are using a premium theme or plugin which you downloaded illegally for free, remove it. Avoid using illegal software as a general rule of thumb because most of them are infected with malware which hackers can utilize to gain control over your website.

2. Check with your hosting provider

Most of us think that hosting providers are hack-proof. That’s not true. Web hosts take the best measures and follow good practices, but they are not hack-proof. It’s not common to read about well-known hosting providers suffering a security breach, but it may happen. In 2018, a German hosting provider called Hetzner was hacked twice. In the same year, Daniel’s Hosting, a popular provider, suffered the same fate. The bottom line is a breach on the hosting provider’s end could have granted hacked access to your website. We’d suggest you check with your web host.

3. Use strong credentials

In 2018, Kanye West made headlines in the IT security world for a good reason. During a meeting with the US President, he was recorded on camera unlocking his smartphone with the code 000000. The internet blew up with the story!

Most of us see complex credentials as an obstacle because it’s hard to remember. But weak credentials make hacking your smartphone (or in this case, a website) a piece of cake. As a website admin, you should use a unique username and strong passwords. You can also implement a strong password policy where users of your website can’t use a weak password.

Besides these, you can also take a few more security measures like moving your site from HTTP to HTTPS, installing a security plugin, protecting the login page, etc.


We really hope our guide was able to help you out and show you how to take preventive measures. If you’re thinking of taking better security measures for your WordPress site, you can check our WordPress Security guide here.

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap