There is no disputing the popularity of WordPress. As the leading CMS platform available (more than 70 million websites depend on WordPress), it is also under constant attack from hackers. Many of us have learned the hard way about just how vulnerable the CMS giant can be. If you run a large website or multiple websites with WordPress, it is likely you have been hacked or compromised at some point. Even if you were hacked before and managed to fix it, the threat may still be there silently waiting to attack again. This can happen by means of “backdoors” created by the original hacker.
My WordPress website was hacked AGAIN!
As I just mentioned, when your WordPress site gets hacked after you successfully diverted a previous attack, it’s usually because of a backdoor created by the hacker. Backdoors give hackers access to your website and files by bypassing normal procedures and getting authentication without you even knowing they are there. In this article, I’ll try to explain what a backdoor is, how to find it and hopefully how to rid it from your WordPress website.
What is a backdoor?
We’ve all seen the movies where the criminal eludes the law by slipping out the backdoor. Hackers use this same type of method except in reverse. They’re not trying to get away – they’re trying to get in. Hackers can access your site remotely without you even realizing it – all thanks to “backdoors.” When your site is attacked or compromised, it is usually the first place where this uploaded to your site. Even if you manage to find and delete any malware or malicious coding, the previously uploaded backdoor allows the hacker to gain access again and again. Backdoors are meant to be tricky and hard to find. They can even remain after upgrading your website or theme – leaving your site vulnerable to future attacks until you clean it out completely.
Some backdoors simply allow the hacker to create an admin account, usually hidden so you can’t see it even though it’s there. More complex backdoors allow hackers to execute codes, send emails from your server, create SQL queries, and more.
Where should I look for a backdoor?
Even if you find the backdoor, hackers have learned to create backups that safely hide in common WordPress files, places you’d never look for or suspect. More advanced hackers can disguise a backdoor to look just like a regular WordPress file. With all of that said, there are 5 most common places to try and locate a backdoor:
- Plugins – Hackers love to hide code in plugins. Hackers know that many of us don’t like upgrading plugins. A large majority of us think, “Why fix something that isn’t broken when in all actuality the update may only break my site anyway?” And with thousands and thousands of free plugins available, hackers know many of them are vulnerable and easy to hack.
- Themes – Beware of that inactive theme in your directory. Hackers can plant a backdoor in one of the themes in your directory. Not using it? Get rid of it.
- Media Uploads Directories – Are your media files set to the default setting? Default settings are based on months and years, which create more opportunities for hackers to gain access. This is because of all of the many different folders needed to accommodate the default settings. Hackers know we will rarely look through all of those folders which in their eyes is a perfect place to inject their sneaky little hacks.
- wp-config.php File – WordPress installs this file as a default. It’s without a doubt one of the first files to be targeted by hackers and therefore should be one of the first places you should look.
- The Includes folder – Another default file installed by WordPress is the Includes folder. Hacks can be commonly found here as well simply because – when is the last time you checked this folder?
So, how do I clean up my hacked WordPress site?
First of all, and I can’t say this enough, KEEP YOUR VERSION OF WORDPRESS UP-TO-DATE! WordPress knows that hackers love to find vulnerabilities in their software and they are always updating with newer versions in an attempt to keep the hackers out. Like I said, if you are worried about your WordPress site being hacked, keep it up-to-date. Do you even feel sorry for a webmaster who has been hacked when he/she is running WordPress version 2.9?
So your WordPress is up-to-date, now you can try these steps:
- Install a malware scanner plugin, there are good free and paid plugins available. I recommend Smart Security Tools from CodeCanyon, but searching “malware scanner” ton WordPress.org will also deliver several free options. Note: many free plugins generate a lot of false positives and unless you know exactly what you are looking for it can be overwhelming. False positives can almost urge you delete codes that you actually need, leaving you with another new headache.
- Delete inactive themes. Throw those inactive themes in the trash! We already covered why inactive themes are no good.
- Delete and reinstall all plugins. Sure it’s annoying and time-consuming, but doing so will clear out any vulnerabilities in the folders. Before deleting and installing your new plugins, it’s recommended that you create a backup of your site using WordPress Backup & Clone Master or search free plugins on WordPress.org.
- Create a clean .htaccess file. A new .htaccess file will clear out any sneaky redirect codes placed by hackers. The .htaccess file will recreate itself once it is deleted.
- Download a fresh copy of WordPress. Once you have a fresh copy of WordPress you can open up your current wp-config.php file and the new one in Notepad+ (or any other text editor) and compare your current copy with the new one. If there’s anything suspicious in your current version – delete it.
- Restore your site. If all else fails or just to be absolutely certain there are no hacks or malicious code on your site, you can always delete it and restore to an earlier date. This option isn’t for everyone because all updates you’ve have made since that point will be deleted. But as a last resort and when all else has failed, at least you’ll have a clean slate again.
Future steps you can take:
- Update your admin username and password. Create a new username and password with Administrator rights and delete the old one.
- Install Limit Login Attempts plugin. It’s not foolproof but it will limit the amount of attempts a hacker will have to get in.
- Password protect the WP-admin directory. You can do this by going to your website hosting control panel. cPanel users can accomplish this with just a few simple clicks. Contact your host or do a search if you do not know how to password protect your folders.
- Create regular backups. Back up your site regularly so that you will always have a hacker free version ready.
Take securing your WordPress site seriously. A hacker can slip right in and effectively end your online blog or business in no time flat. I hope this article helps protect some of you. Let me know in the comments below what you think should be added to this list.
Smart Security Tools
WordPress Backup & Clone Master
Limit Login Attempts