WordPress Backdoor Found in Files Fix. PHP Shell & Webshell
What Is Actually Breaking: The Backdoor Mechanism
When you discover a WordPress backdoor or webshell, it means an attacker has successfully gained persistent remote access to your server. This isn't just a simple infection; it's a dedicated access point, often a malicious PHP file, designed to allow the hacker to execute arbitrary code, modify files, steal data, or escalate privileges at will. Think of it as a hidden administrative interface only the attacker can use.
The core problem is that a legitimate PHP process on your server is now executing code that was placed there by an unauthorized party. This code bypasses WordPress’s normal authentication and authorization layers, giving the attacker direct control over your site’s files and, often, the underlying server.
CAUSE 01
Compromised Credentials & Direct Upload
The most direct route: an attacker gained access to your WordPress admin, FTP, or hosting control panel (cPanel, Plesk, etc.) credentials. With these, they simply upload a malicious PHP file, often disguised as a legitimate image or theme file, directly into an accessible directory like wp-content/uploads/ or wp-content/themes/your-theme/. This immediately establishes a wordpress backdoor shell uploaded by hacker.
CAUSE 02
Vulnerable Plugin or Theme Exploitation
A critical vulnerability (e.g., arbitrary file upload, remote code execution) in an outdated or poorly coded plugin or theme provides the entry point. The attacker exploits this flaw to upload their wordpress php shell uploaded by hacker without needing direct login credentials. Common targets include file manager plugins, gallery plugins, or any component that handles file uploads without proper validation. This often leads to a wordpress backdoor in plugin files or wordpress backdoor in theme files.
FrequentCAUSE 03
Infected Core Files or Other Compromises
Less common but more insidious, an attacker might inject malicious code directly into WordPress core files (e.g., wp-config.php, files within wp-includes/, or wp-admin/). This can happen if the server itself is compromised, or via a chained exploit. These injections are designed to be stealthy, often obfuscated, and re-create themselves if deleted, making them a persistent wordpress backdoor in wp-includes or wordpress backdoor in wp-content.
How To Confirm a WordPress Backdoor or Webshell
Identifying a backdoor requires a deep dive into your site's file system and database. Generic "site scans" often miss sophisticated backdoors. You need to look for specific indicators of compromise (IOCs).
What you see
What this points to technically
New, strange files in wp-content/uploads/ or theme folders
Likely a wordpress webshell found in uploads or a file uploaded via an exploited vulnerability. Look for .php files disguised as images (e.g., image.jpg.php, shell.php, wp-cache.php, wp-config-backup.php, wp-v.php, up.php, index.php with unusual content).
Unexpected code in legitimate files (e.g., wp-config.php, functions.php)
Indicates direct file modification, often a small snippet that loads a larger, hidden backdoor. Check for eval(, base64_decode(, gzinflate(, str_rot13(, preg_replace('/.*/e', ...), or assert( functions near the top or bottom of files, especially in wp-config.php or theme functions.php.
New, unknown admin users appearing after deletion
A strong sign of a persistent backdoor allowing the attacker to re-create users. See our guide on WordPress Unknown Admin User Created by Hacker. This means the backdoor itself is still active, or a cron job is re-creating the user.
Files with recent modification dates that you didn't touch
Attackers often modify files to inject their backdoors. Use ls -laRt on Linux to find recently changed files in critical directories like wp-content/, wp-includes/, and the root.
Fixing a WordPress Backdoor: A Step-by-Step Guide
Removing a backdoor is a meticulous process. A single missed file or database entry means the hacker will be back. Follow these steps carefully.
Immediately Isolate Your Site
Before doing anything else, prevent further damage and block the attacker's current access. Put your site into maintenance mode and, if possible, restrict all external access to your WordPress admin and server via your firewall or .htaccess, allowing only your IP address. This buys you time to work without active interference.
# Example .htaccess rule to block all IPs except yours Order deny,allow Deny from all Allow from YOUR_IP_ADDRESS
✓ ~5 minutes. Critical first step to prevent further compromise.
Identify Recently Modified or Suspicious Files
Attackers often leave clues in file modification timestamps. Connect via SSH and list files by modification date. Pay close attention to files in wp-content/uploads/, wp-content/themes/, wp-content/plugins/, and the root directory. Look for unfamiliar PHP files, or legitimate files with very recent modification dates that you didn't change.
find . -type f -mtime -7 -ls
✓ ~15-30 minutes. Focus on files changed in the last 7 days. Look for files like shell.php, wp-v.php, cache.php, or files with random names.
Scan for Malicious Code Patterns (PHP Backdoors)
Use command-line tools like grep to search for common backdoor signatures within your PHP files. Look for highly obfuscated code or functions commonly used in webshells. This is how you find a wordpress backdoor found in files that might be hidden within legitimate files.
grep -rE "eval\\(base64_decode|shell_exec|system\\(|passthru\\(|exec\\(|assert\\(|preg_replace\\s*\\(\\s*['\"]\\/.*\\/e['\"]" /path/to/your/wordpress
✓ ~30-60 minutes. This command searches for common obfuscation and execution functions. Review each hit carefully; not all uses are malicious, but many are.
Replace All Core, Plugin, and Theme Files with Clean Versions
This is non-negotiable for a thorough cleanup. Download fresh copies of WordPress, all your themes, and all your plugins from trusted sources (WordPress.org, theme/plugin developers). Delete the compromised files on your server and upload the clean versions. Do NOT just overwrite; delete first to ensure no lingering malicious code remains. This addresses wordpress backdoor in plugin files and wordpress backdoor in theme files.
✓ ~1-2 hours. Backup your wp-config.php and wp-content/uploads before deleting. Re-uploading clean files is crucial.
Database Inspection and Cleanup
Backdoors can also reside in your database, often injecting malicious scripts into wp_options (e.g., active_plugins, siteurl, home, or custom options) or creating new, hidden admin users. Check for unusual entries in wp_options or any unexpected users in wp_users. If you find unknown admin users, refer to our guide on WordPress Unknown Admin User Created by Hacker. Also, check for injected scripts in post content or comments.
SELECT * FROM wp_options WHERE option_value LIKE '%base64_decode%' OR option_value LIKE '%eval(%';
✓ ~30-60 minutes. Be extremely careful when modifying database entries. Export your database first.
Secure Your Environment & Prevent Re-infection
Change all passwords: WordPress admin, database, FTP, SSH, and hosting control panel. Review user accounts for any unauthorized additions. Update file permissions to secure levels (e.g., 644 for files, 755 for directories). Implement a Web Application Firewall (WAF) and consider a security plugin. Without these steps, the hacker will likely get back in. See WordPress Hackers Keep Getting Back In After Cleanup for more on preventing re-infection.
✓ ~30 minutes. This is crucial for long-term security. Don't skip this.
Our Process: How WebFixHQ Eliminates Backdoors
At WebFixHQ, we don't just run a scanner and delete files. Our senior engineers perform a deep, forensic analysis to ensure every trace of the backdoor and its entry point is identified and neutralized. Here's what our process involves:
- Full Server-Side Scan & Forensics: We start with a comprehensive scan of your entire hosting environment, not just WordPress files. We analyze server access logs, error logs, and audit logs to pinpoint the exact time and method of compromise. This helps us understand if the attack vector was a vulnerable plugin, compromised credentials, or a server-level exploit.
- Manual Code Review & Signature Analysis: Our engineers manually review suspicious files, looking for obfuscated PHP, known webshell signatures (like C99, R57, WSO shells), and custom backdoors that automated scanners often miss. We meticulously check core WordPress files, themes, and plugins for injected code, especially in critical areas like
wp-config.php,functions.php, and.htaccess. - Database Integrity Check: We examine your WordPress database for malicious entries, including injected scripts in options, posts, comments, and unexpected new user accounts. We cross-reference these with known attack patterns to ensure no hidden persistence mechanisms remain.
- Entry Point Identification & Patching: The most critical step is identifying how the backdoor was initially placed. Was it a zero-day exploit? A vulnerable plugin? Weak credentials? We identify the vulnerability, patch it, and recommend immediate updates or replacements to prevent future re-infection. This often involves specific hardening measures for your server and WordPress installation.
- Post-Cleanup Hardening & Monitoring: After cleanup, we implement robust security measures, including strong password policies, file permission adjustments, and recommendations for Web Application Firewalls (WAFs) and security plugins. We also provide guidance on ongoing monitoring to detect any future suspicious activity.
Backdoor Still Active? We'll Remove It.
Our senior WordPress engineers specialize in deep forensic cleanup of even the most persistent backdoors and webshells.
Get Expert Backdoor Removal →Frequently Asked Questions About WordPress Backdoors
FAQ