Why do WordPress websites get hacked?
All of these are some of the major reasons for being a WordPress Website hacked.
- Vulnerable WordPress installation
- Outdated WP Core, themes & plugins
- Insecure hosting platform
- Weak password
- Poorly coded plugin
Let’s focus on Backdoors that may be hidden in your system in case you face repeated malicious activity.
WordPress Administrator creator script
If you suspect your previous developer or an insider job, the best place to find the backdoor is your theme & plugin.
This simple script below can create a WordPress administrator account with username as support and password: PassWord just visiting your website like this way.
example.com/?autoupdate=go
This script can hide administrator account support from the user list and decrease total user count by 1!
Webshell Backdoors
Web shell backdoors can be placed anywhere on your website. Most WordPress security plugins can detect only well-known web shells. Here is some location to hide web shells on WordPress website.
WordPress Themes
The majority of hidden web-shells backdoors we found into inactive themes. Because hacker knows that site owner won’t update the theme they don’t use! The site owner’s simple thinking, the inactive theme doesn’t have anything to do with the website, so leave it!. That’s a great mistake. We recommend never to keep an unused theme installed on your website; updates or outdated doesn’t matter.
WP Plugins
Hackers choose plugins to hide backdoor because site owners are sometimes afraid to update plugins that may break the website. Premium plugins are the main target, while pirated plugins are heaven because pirated plugins (premium plugins without a license) can’t be updated!
Upload Directory
Uploads directory is the directory where all user uploaded files such as images; document contents are usually stored. It’s a safe place to hide a web shell because here, don’t risk being deleted by WordPress, theme, or plugin update!
WP-config.php
The wp-config.php file is a popular target. Because this file contains a Database name, usernames, password, hostname, and the first file called WordPress.
wp-includes directory
the wp-includes directory is another place to hide web-shell backdoor because only senior developers and security experts have the courage to touch this directory.
cPanel and SFTP/FTP Backdoor
Not only your WordPress website is hackable, your web hosting control panel is a good place to hide the root of the hack as well.
cPanel hidden contact and password reset email
Check these 2 files under your cPanel home directory if they contain any unknown email:
.contactmail
.contactinfo
Those 2 files should contain your own email address. This email adderess is used to send password reset email and cPanel notification.
Also check .lastlogin file and see if you can recognize the IP address listed there. This is the list of IP addresses being used to access the cPanel.
Don’t forget to reset the cPanel password immediately.
FTP
These days FTP is not a secure protocol anymore. When doing website security hardening and trying to solving a mysterious hack that is coming back again and again, make sure you didn’t have old used FTP accounts. We recommend deleting all FTP account and, if possible, use SFTP with a strong password or use Public Key authentication.
SSH key/SFTP user
Check for authorized SSH keys and SFTP user accounts in your control panel as well. A good place to hide legit backdoor!