Even when the website has been cleaned, hackers can still log in to the background of the website with a backdoor. If the site is not properly cleaned or admin doesn’t know what file to check, the backdoor left by the hacker can still allow them to bypass the normal authentication. This article will show how to find the backdoor left by the hacker and fix it.
What is a backdoor?
Backdoor refers to a method that bypasses normal authentication and gains remote access to the server while it is not detected. Most clever hackers always upload backdoor programs as soon as they hack into a website so that even if site admin deletes the exploited plug-in, they can regain access. Backdoors can usually survive the upgrade process, so the site can easily be attacked again before complete clean it up is carried out.
Some backdoor programmers simply allow users to create hidden administrators, while more complex backdoors allow hackers to execute any PHP code sent from the browser. They have a complete UI interface, allowing them to use the site server to send emails, execute SQL queries, and whatever they want to do.
Where is the code hidden?
On the WordPress site, the most likely storage locations for backdoor programs are the following:
Theme:
The most likely theme is not in use. The hacker hopes that the code will survive the core upgrade, so if the site owner still keeps other unused themes, then the code is likely to be in those theme files. So, this is why we recommend deleting unused themes.
Plugins:
There are three reasons why hackers choose to hide code in plugins. First, because users generally, do not look closely at the plug-in files. Second, users do not like to upgrade plugins, so the backdoor survives. Third, there are problems with the code of some plugins, and there may be some loop-holes.
Upload Directory:
As a blogger, who never check the upload directory. Why should I check? Most bloggers just upload some pictures and then quote them in the article. Thousands of images may be stored in the upload directory in the form of years and months, which allows hackers to easily upload backdoors to this directory. Because the backdoor program can be hidden in a large number of pictures, and site owners don’t go to check here often, most people do not install security monitoring plugins.
Finally, the upload directory is writable, so no exceptions will be discovered. This causes the upload directory to become the best destination for most backdoor programs.
wp-config.php:
This is one of the files that are frequently attacked by hackers, and it is also the file that most people want to check after the website has a problem.
wp-includes folder:
The / wp-includes / folder is another place where we found the back door. Some hackers will leave more than one backdoor file, and once they upload the first one, they will upload another one as a backup to ensure they have access rights. The ‘wp-includes’ folder is a place that some users will not go to view. In all the cases we found, the backdoor files will be disguised to make them look like WordPress native files.
For example, a backdoor program in the / wp-includes / folder, can be disguised with the name wp-user.php (normally, there is no file with this name). There might be user.php in / wp-includes /, but no such file as wp-user.php exist. In another case, a file called hello.php can be in the upload folder, which disguised itself as a Hello Dolly plugin, but why will plugin appear in the upload folder?
The name of the backdoor may also be something like wp-content.old.tmp, data.php, php5.php, and the name does not have to end with php, because the file contains php code. It can be a .zip file. In most cases, these files are encoded using base64 codes, which can perform various operations (i.e., add junk links, add other pages, redirect the main site to junk pages, etc.).
Now you may think that WordPress is really too insecure, and you can actually set up a backdoor. No, you are wrong! There are no known vulnerabilities in the current version of WordPress, and the backdoor is not the first step in hacking into a website. Generally speaking, it is the second step. Hackers often find vulnerabilities in third-party plugins or scripts, and then gain permission to upload backdoors.
Nice contents it really help me understand more about WordPress site security