How to Clean a Hacked WordPress Site
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.
Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like /themes, /plugins, and /uploads.
Backdoors commonly include the following PHP functions:
- base64
- str_rot13
- gzuncompress
- eval
- exec
- system
- assert
- stripslashes
- preg_replace (with /e/)
- move_uploaded_file
These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions.
The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official WordPress repository.
It is critical that all backdoors are closed to successfully clean a WordPress hack, otherwise your site will be reinfected quickly.
Originally published at sucuri.net on January 2, 2018.
