Finding and Fixing a Backdoor in a Hacked WordPress Site

wordpress%20security%20questions banner Finding and Fixing a Backdoor in a Hacked WordPress Site

What is a Backdoor?

First, let us be on the same page on what is a Backdoor. This is a method a hacker uses to bypass normal authentication in a website so that he can be able to access the server, while in the process, he remains undetected. This is what most smart hackers do by first uploading the backdoor, so even if you remove the breached plugin, the hacker can still regain access. Worse still is even if you do an upgrade, the backdoor will still remain, making your site vulnerable to hacking. Until when you clean the mess for good, the system is still vulnerable to hacking. How do you clean up the mess for good?

How a Hacker uses a Backdoor to Exploit your System

A back door allows a hacker to create hidden admin username so he/she can access the system. On the other hand, a more complex backdoor allows the hacker to run any PHP code send from the browser. Things get worse with a backdoor that features a full fledged user interface that allows a hacker to send emails that make one think they are coming from the server, run SQL queries and any other thing a hacker might think of. A hacker exploits a system by installing a backdoor in themes, plugins, uploads directory, Includes Folder, and wp-config.php.  Hackers install the backdoor in old and inactive themes so it can survive updates. People don’t upgrade plugins often and some plugins are coded poorly; this makes plugins a potential place for a hacker to hide a backdoor. How to hack a WordPress site shows you how hackers do this normally and this guide is for developers so they can be careful to install a plugin or upgrade a plugin.

How to Clean Up Backdoor for Good

In most cases, backdoors are disguised to resemble a WordPress file. Check the wp-includes folder; a wp-user.php is a backdoor since it doesn’t exist in the normal install, only user.php exists but not wp-user.php.  In the uploads folder a file named hello.php is a backdoor disguised as the Hello Dolly plugin. It can also use names like wp-content.old.tmp, php5.php or data.php; it doesn’t mean that because it has a PHP code in it that it has to end with php. It can even be a .zip file. Encoded with base64 code to perform all manner of hacking operations including redirecting the main page to spammy sites, adding additional pages, and adding spam links
The good news is the current version of WordPress (version 3.4.2) has no known vulnerabilities. Therefore another way of defeat backdoors is by upgrading to the latest version of WordPress at hand.

No comments:

Post a Comment