Now you already know what a back door is and where it might appear if you don’t kindly refer to our previous post to find out. Then you can start looking for back door files. Clearing back doors is as simple as deleting files or code, but it is difficult to find back door files. Use some WordPress malware scanning plugins to help find them.
Also, use Exploit Scanner, but be aware that the plugin also uses base64 and eval encoding, so sometimes a lot of false positives are generated. If you are not a plugin developer, it is really difficult to find the malicious code from thousands of lines of code. So, the easiest way is to delete the entire directory of the plugin directly, and then download and install it again. Unless a lot of time can be put into looking at the code, this is the only way.
Search upload directory
Some scanning plugins can find rogue files in the upload directory, but if familiar with SSH, then only the following line of code is needed.
find uploads -name "* .php" -print
There is no reason for the .php file in the upload folder. This folder is used to store media files. If .php files appear, they must be deleted.
Delete unused themes
As mentioned in the previous post, unused themes often become hiding places for back doors. The best way is to delete these themes, including the default theme.
.htaccess file
Sometimes redirect codes are added here. Just delete this file, the system will automatically regenerate a copy. If it is not automatically generated, go to the “Settings”-“Permalink” in the administrator background and click the “Save” button to recreate a .htaccess file.
wp-config.php file
Compare this file with the default wp-config-sample.php. If any differences are detected, just delete those codes.
Scan for vulnerabilities and SPAM in the database
Smart hackers will never have only one security point. They will create many. Targeting the database is very easy, they can store malicious PHP functions, new administrator accounts, spam links, etc. in the database. Yes, sometimes you will not see the administrator user on the user’s page. For example, if you see that the total number shows 3 users, but you can only see 2 on the list, then it is very likely that your website is hacked.
If you don’t know how to deal with database problems, then these scanning plugins can help you. Exploit Scanner or Sucuri (paid version) can do it for you.
Think it’s all cleaned up? Think again!
Don’t think you ’re done, use browser ’s incognito mode to check if the site has really been cleaned. Sometimes, these hackers are very smart, they will not show the hacker attack to the logged-in user, only visitors who are not logged in can see it. It is best to try to change the user-agent of the browser to Google. Sometimes, hackers just want to target search engines. If everything looks ok, then congratulations, the website repair is over.
FYI: To be 100% sure that there is no malicious code left on the website, then please delete the website directly and restore it to a point in time that has not been hacked (so regular backup is important, off-site backup is important) This may not be for everyone, so think twice.
1 Comment