Thousands of WordPress websites are being hacked every day. It’s more than 60 thousand, and day by day the number is increasing. Once a website is hacked, there is a high chance that hackers left some special access code in applications to regain access in the future. Often we heard from our new clients that they cleaned the website themself but it’s being hacked repeatedly. In our investigations, we found various backdoor scripts and techniques that we will discuss today.
Why do WordPress websites get hacked?All of these are some of the major reasons for being a WordPress Website hacked.
- 1. Vulnerable WordPress installation
- 2. Outdated WP Core, themes & plugins
- 3. Insecure hosting platform
- 4. Weak password
- 5. Poorly coded design
WordPress Administrator creator scriptIf you suspect your previous developer for the incident, the best place to find the source of this hack is your theme & plugin. This simple script below can create a WordPress administrator account with username as
PassWordjust visiting your website like this way.
example.com/?autoupdate=goThis script can hide administrator account
supportfrom the user list and decrease total user count by 1!
Webshell BackdoorsWeb shell backdoors can be placed anywhere on your website. Most WordPress security plugins can detect only well-known web shells. Here is some location to hide web shells on WordPress website.
WordPress ThemesThe majority of hidden web-shells backdoors we found into inactive themes. Because hacker knows that site owner won’t update the theme they don’t use! And simple thinking by the site owner, inactive theme doesn’t have anything to do with the website so leave it!. That’s a great mistake. We recommend, never keep an unused theme installed on your website, update or outdated doesn’t matter.
WP PluginsHackers choose plugins to hide backdoor because site owners sometimes afraid to update plugins as that may break the website. Premium plugins are the main target while pirated plugins are heaven because pirated plugins (premium plugins without a license) can’t be updated!
Upload DirectoryUploads directory is the directory where all user uploaded files such as image, document contents usually stored. It’s a safe place to hide web shell because here don’t have the risk of being deleted by WordPress, theme, or plugin update!
WP-config.phpThe wp-config.php file is a popular target. Because this file contains Database name, usernames, password, hostname, and the first file being called by WordPress.
wp-includes directorythe wp-includes directory is another place to hide web-shell backdoor because only senior developers and security experts have the courage to touch this directory.
cPanel and SFTP/FTP BackdoorNot only your WordPress website is hackable, your web hosting control panel is a good place to hide the root of the hack as well.
cPanel hidden contact and password reset emailCheck these 2 files under your cPanel home directory if contain any unknown email:
.contactinfoThose 2 files should contain your own email address. This email adderess is used to send password reset email and cPanel notification.Also check
.lastloginfile and see if you can recognize the IP address that is listed there. This is the list of IP addresses being used to access the cPanel.Don’t forget to reset the cPanel password immediately.