WordPress websites can be some of the most vulnerable for getting hacked because of the popularity of the platform. Most of the time when people reach out for help, it’s because their site was hacked once, they fixed it–and then it was hacked again.
“Why did my WordPress website get hacked again after I fixed it?”
When your WordPress site gets hacked for a second time, it’s usually due to a backdoor created by the hacker. This backdoor allows the hacker to bypass the normal procedures for getting into your site, getting authentication without you realizing. In this article, I’ll explain how to find the backdoor and fix it in your WordPress website.
So, what’s a backdoor?
A “backdoor” is a term referring to the method of bypassing normal authentication to get into your site, thereby accessing your site remotely without you even realizing. If a hacker is smart, this is the first thing that gets uploaded when your site is attacked. This allows the hacker to have access again in the future even after you find the malware and remove it. Unfortunately, backdoors usually survive site upgrades, so the site is vulnerable until you clean it completely.
Backdoors may be simple, allowing a user only to create a hidden admin user account. Others are more complex, allowing the hacker to execute codes sent from a browser. Others have an entire user interface (a “UI”) that gives them the ability to send emails from your server, create SQL queries, etc.
Where is the backdoor located?
For WordPress websites, backdoors are commonly located in the following places:
1. Plugins – Plugins, especially out-dated ones, are an excellent place for hackers to hide code. Why? Firstly, because people often don’t think to log into their site to check updates. Two, even if they do, people don’t like upgrading plugins, because it takes time. It can also sometimes break functionality on a site. Thirdly, because there are tens of thousands of free plugins, some of them are easy to hack into to begin with.
2. Themes – It’s not so much the active theme you’re using but the other ones stored in your Themes folder that can open your site to vulnerabilities. Hackers can plant a backdoor in one of the themes in your directory.
3. Media Uploads Directories – Most people have their media files set to the default, to create directories for image files based on months and years. This creates many different folders for images to be uploaded to–and many opportunities for hackers to be able to plant something within those folders. Because you’d rarely ever check through all of those folders, you wouldn’t find the suspicious malware.
4. wp-config.php File – this is one of the default files installed with WordPress. It’s one of the first places to look when you’ve had an attack, because it’s one of the most common files to be hit by hackers.
5. The Includes folder – Yet another common directory because it’s automatically installed with WordPress, but who checks this folder regularly?
Hackers also sometimes plant backups to their backdoors. So while you may clean out one backdoor… there may be others living on your server, nested away safely in a directory you never look at. Smart hackers also disguise the backdoor to look like a regular WordPress file.
What can you do to clean up a hacked WordPress site?
After reading this, you might guess that WordPress is the most insecure type of website you can have. Actually, the latest version of WordPress has no known vulnerabilities. WordPress is constantly updating their software, largely due to fixing vulnerabilities when a hacker finds a way in. So, by keeping your version of WordPress up to date, you can help prevent it from being hacked.
Next, you can try these steps:
1. You can install malware scanner WordPress plugins, either free or paid plugins. You can do a search for “malware scanner WordPress plugin” to find several options. Some of the free ones can scan and generate false positives, so it can be hard to know what’s actually suspicious unless you’re the developer of the plugin itself.
2. Delete inactive themes. Get rid of any inactive themes that you’re not using, for reasons mentioned above.
3. Delete all plugins and reinstall them. This can be time-consuming, but it wipes out any vulnerabilities in the plugins folders. It’s a good idea to first create a backup of your site (there are free and paid backup plugins for WordPress) before you start deleting and reinstalling.
4. Create a fresh .htaccess file. Sometimes a hacker will plant redirect codes in the .htaccess file. You can delete the file, and it will recreate itself. If it doesn’t recreate itself, you can manually do that by going to the WordPress admin panel and clicking Settings >> Permalinks. When you save the permalinks settings, it will recreate the .htaccess file.
5. Download a fresh copy of WordPress and compare the wp-config.php file from the fresh version to the one in your directory. If there’s anything suspicious in your current version, delete it.
6. Lastly, to be completely sure your site has no hack (outside of using paid monitoring services), you can delete your site and restore it to a date that the hack wasn’t there from your hosting control panel. This will delete any updates you’ve made to your site after that date, so it’s not a great option for everyone. But at least it cleans you out and provides peace of mind.
In the future, you can:
1. Update your admin username and password. Create a new user with Administrator capabilities, then delete the old one you were using.
2. Install a plugin to limit login attempts. This will keep someone locked out after a certain amount of attempts to get in.
3. Password protect the WP-admin directory. This would be done through your website hosting control panel. If your hosting company uses cPanel, this is easily done with a couple clicks. Contact your host to figure out how to password-protect a directory or do a search for it on your hosting company’s website.
4. Create regular backups. By backing up your site regularly, you know you’ll have a copy to restore the site with if it would get hacked. There are free and paid plugins available to help with this, or you may be able to create a backup of the entire account from your hosting control panel. Or, though slower but still an option, you can download the entire site via FTP software.
When it comes to security, it helps to take it seriously. Backing up your site is one of the best things to do, because your hosting company may not do this for you. Some may offer backups/restore features if you activate them, and some may create random backups every few weeks. But you don’t want to rely on the host because this is not in their scope of services. To be more certain, you can use paid malware monitoring services and plugins to be able to watch your site so you don’t have to worry about it.