27 Jul 2023
Finding a hack file or backdoor among the 1500 to 3500 files that typically power a WordPress website may seem impossible.
Searching for a needle in a haystack
When your website contains vulnerabilities that allow bots to upload files to your server, they prefer to spread those files as inconspicuously as possible. They may target upload directories that are several levels deep from the root.
Hack files are often placed in PHP format among your other files, using different filenames and tricks each time. This requires knowledge and experience to locate these files.
I can give you some tips on how I do it, but my other tips will remain “trade secrets.”
Method 1 – Finding hack files by modification & creation date
Files added via a bot often have a different timestamp than the rest of your files. In 99% of cases, they are added after the start of your website. As your website becomes more popular, the chances of it being found by bots that deploy harmful files increase. Pay attention to the modification or creation date.
Method 2 – What doesn’t belong in WordPress?
Spot the differences. I can recall about 80% of all the files that should be in WordPress. So, when I see an options.php, model.php, or 312.php where it shouldn’t be, I know there’s an issue, and I check the code before pressing delete.
Method 3 – Scanning the code in the files
I have various scanning methods that can automatically or manually inspect multiple files simultaneously. With these scans, I search for:
- frames
- base64
- eval
- cookie
- inject
- p.a.c.k.e.d
- display: none / visibility: hidden
- And more
Method 4 – Searching in the database
Using a program and the usual server tools, I search the MySQL database for backdoors, unauthorized users, hidden content, and more.
Method 5 – Google Webmaster Tools
Google Webmaster Tools often alerts you first when a website contains malware and phishing files. Valuable information can be obtained from there to help tackle the hack.
These are some of the methods I use. There are many more, and each website requires its unique approach to find a hack. Websites with more than 10 plugins may require checks in unexpected places. Old server software or open servers may require different approaches.
In general, websites are thoroughly examined and evaluated first, followed by increasingly refined searches to identify and remove all threats, ultimately securing the website.
Note: Removing a spam script, malware syntax, or frame is just the beginning. The ultimate goal is to patch the vulnerability and secure the website.
