How to Find and Remove a Backdoor from a Hacked WordPress website

Mar 19, 2020 | website security, WordPress, Wordpress Security

Backdoors are most commonly used to hack a website, which is often combined with other harmful pages or links. If your site contains a backdoor, your website is likely to contain other malicious programs such as spam pages, spam links, phishing, or malware redirects. Hacked WordPress website contains backdoors that allow the hacker to enter the website.

No matter what kind of backdoor you find on your WordPress website, the question is: how did it get there? Your site may have other types of malware or security vulnerabilities that allow the attacker to access the website. Hackers often add multiple backdoors, some similar, some different. Therefore, it is important to look at the whole website.

In this article, you will learn all about the backdoor, what is it, how to find a backdoor, and how to remove a backdoor from a hacked WordPress website?

What is a Backdoor?

Backdoor is just a way for hackers to avoid basic authentication and access the WordPress website server to hack it. Unauthorized and constant access remains undetected, as it is usually added as a malicious code that is discreetly hidden somewhere on the website. The malicious backdoor is the first thing hackers do when they manage to use brute force. Even if you can find the infected file or plugin and remove it from your website, hackers can still access the server again. Backdoors allow hackers to inject malicious code on the WordPress website.

Types of Backdoors

You don’t even know if your WordPress website has a backdoor unless the hacker takes your site down or does the damage to the website. A smart hacker uses the server instead of the website to send spam. There are three types of backdoors that hackers use on a WordPress website.

  • Simple backdoors are the one line shortcodes that are a bit difficult to find.
  • Complex backdoors are the multi-line codes that are easy to find if you know your website code. But most of the time, hackers create a very hard code that a malware scanner can’t find.
  • CMS explicit backdoors are the ones that hackers create specifically for the content management systems. 

What Causes the WordPress Backdoor Hack?

WordPress website is very easy to manage and organize, but some vulnerabilities and lack of security precautions can lead to the hacked WordPress website. The following are some of the reasons that cause a WordPress backdoor hack.

  • Weak login credentials.
  • Outdated WordPress installation.
  • Outdated or vulnerable theme or plugin.
  • Weak file permissions exposing sensitive files.
  • Lack of firewall and necessary security measures.
  • Sharing a server with an infected website that might infect your website as well.

How to Find Backdoor on a Hacked WordPress Website

Start the process by finding the backdoor on a hacked WordPress website. Look for the malicious backdoor codes hidden in the following locations.

Wp-config.php file

Wp-config.php is the most important file in your WordPress installation. It contains detailed information about connecting to the database and some installation options. Hackers love to malicious backdoor on the wp-config.php file. The PHP file is the very first place where you have to look for the backdoor.


Plugins are the best place for hackers to hide malicious codes on the website because users don’t use it often. Many WordPress users don’t update the plugins or use the poorly coded plugin that makes it vulnerable.


You may have many themes on your WordPress website. Old and inactive themes are the safe spots for hackers to hide the code without your knowledge. It is highly recommended to remove the inactive themes from the website.

Uploads directory

As a WordPress user, you just upload the image on the directory and use it in the post or page and never look again in the upload directory. So, that makes it easy for the hackers to add the backdoor in the upload directory. It doesn’t grab your attention because the code will hide with so many media files. These codes do not affect the upload directory because the directory is writable. 

WP includes folder

Some hackers always leave more backdoor codes on the WordPress website. After they add one code, they try to add another backup code to guarantee their access. WordPress users don’t bother to look into the wp-includes folder, which makes it vulnerable if you don’t have a security plugin.

How to Remove a Backdoor from a WordPress Website

A vulnerable theme, plugin, or outdated installation can allow a hacker to authenticate and create a backdoor. Even after you’ve cleared the mess and updated everything, the backdoor can still be used to re-enter the web site. You’re still vulnerable to new hacking attempts if you don’t remove the backdoor.

Scan the website and its database

Scan the website and the database to find any suspicious code. Use trusted security plugin like Sucuri to scan you WordPress website for malware. The plugin will help you find the backdoor and also help you remove it from the website. There are many security plugins for WordPress, most of them only scan the website for vulnerabilities. Scan and search every part of the website for any malware.

Take backup

After scanning the website, take a backup to avoid any breakdown during the malware or backdoor removal. There are many backup plugins that you can use, such as Updraft Plus, VaultPress, Backup Buddy, and many more. These plugins help you create a backup of your WordPress website and its database. You should always back up your website, so if anything happens to it, you will be able to fix it and restore the backup from the safe point.

Delete all inactive themes and plugins

It is not wise to keep the inactive themes on your website. I mean what’s the point of having them anyway, if you are not using it, then simply delete them. Even the default themes are not worth keeping. After you remove the inactive themes, scan your website again to see if it was the culprit having a backdoor. And make sure to use a secure WordPress theme for your website.

Also, delete the inactive plugins because they also create vulnerabilities and even take the bandwidth for no reason. If deleting inactive plugins remove the backdoor, then it is great. Otherwise, delete all the plugins and install the fresh copy again to see if it solves the problem. Always use a well known and popular plugin on your WordPress website.

Inspect the uploads directory

You know that only the media files are in the media directory. Although scanning hundreds of files in the upload directory can be tedious, you should be very careful when checking PHP files that may be hidden in this folder. Malicious codes are usually installed in these PHP files, which hackers hide here because many users don’t check the upload directory files regularly. And when you find the unnecessary file, remove it from the directory.

Fix wp-config.php file

The wp-config.php is not even safe from malware. You can try to detect malicious codes by comparing your file with the wp-config-sample.php file. Comparing the files will help you identify the suspicious code and when you find it delete it. If you are unsure how to remove the malicious from the file, then get help from the expert to remove the malware.

Final Words

WordPress website security should the most important for every website owner. Take all precautionary measures and add a security plugin to secure your WordPress website from hackers. Hackers use your webserver to send spam, redirect your website to the unusual websites, which leads to the blacklisting by major search engines and anti-virus systems. This damages both the website reputation and its credibility.