WORDPRESS BACKDOORS
VULNERABILITIES IN WORDPRESS AND HOW THEY'RE HACKED
What are Backdoors in WordPress?
Let’s start with the basics of what a backdoor exploit is. It is a secret or back door that is left unintentionally and which hackers or bad actors are able to take advantage of.
The easiest way to view the administration of a WordPress website is on the side of an FTP server. These servers are not visible to visitors so their actions are very difficult to identify and prevent.
Hackers often leave a backdoor, so they can access the website even if they have been deleted by the owner. This is how even after the site has been fully cleaned up and deleted, the site still remains vulnerable to hackers .
A hacker may be able to do some of the following
- Using a backdoor script, malware can be uploaded to your WordPress site without a user having to be logged in. From there it can be stored on the server, so it can be used to compromise a website by redirecting it to a malicious website.
- Add the admin password for the hidden wordpress admin.
- Execute php code that they send through a browser
- Collect your personal information for spam
- In order to trick people into clicking on a link in an email, an individual sending spam emails could “phish” the links, making them mimic legitimate links rather than the actual ones that they want to send from the users’ web
Examples Of PHP Backdoor
WordPress plugins have been found to have malicious code hidden in their code, sometimes turning its users into a backdoor that hackers can use to access their websites without being detected.
• Captcha Plugins in 300K WordPress sites could backdoor your system
The WordPress repository recently removed the “Captcha Plus 2” plugin over what was initially perceived as a trademark infringement, but is actually an attack by the current creator of the plugin of unauthorized administrative access to the admin section of the plugins using the backdoor file.
Basically, a backdoor allows a hacker to send an email and make the email appear to be the user’s message, then the hacker sends back instructions about what to accomplish.
This is an unauthorized hack which is used by attackers to download and install malicious code on visitors’ PCs. The malicious code downloads a ZIP file which contains the backdoor and other hacks, then sends and executes them on visitors’ PCs. The ZIP file contains a PHP file called plugin-update.php, which is a backdoor.
• The backdoor in the Display Widgets plugin has affected over 200,000 WordPress sites
A WordPress plugin called Display Widgets has been used to implement a backdoor on websites worldwide.
How hackers find backdoors in WordPress
One of the reasons hackers are successful is because they have the ability to create a hidden entry point back into websites, once they’re inside. So where are the entry points typically found?
WP-Themes:
If you were a smart web hacker, you would not utilize your current theme but instead, you would find inactive themes that you already used. Such themes are not safe because they do not protect you from detecting your code. This is because you would be using it and it will no longer protect you. Moreover, you are using an old version of your theme, which will cause it not to work right and thus, it won`t protect your information from the
WP-Plugins
- Firstly because often people don’t check them
- If not required, users do not want to update the versions of plugins in WordPress.
- There are also other vulnerable plugins that people tend to install.
Upload Directory:
Most WordPress users typically upload a number of media files to their upload directory and would want to check them. Users might also store a number of files and do not realize what could happen if they get infected/hacked.
What if a hacker uploads a vulnerable image in your directory that allows him to break into the website very easily? He will also upload vulnerable images to the directory and hide among hundreds of other files that are in the same directory. It will be very difficult for you to detect the vulnerability because all the media files that are there will look the same.
Our findings showed that most people do not install security plugins that monitor their every activity on your WordPress installations.
Wp-config.php:
One of the most common files hackers can gain access to are WordPress files. Those files, contain user information, passwords, host names, and other sensitive information.
When a hacker exploits vulnerability to the website, he creates a backdoor to regain access to the admin in future even if the hack is being fixed by the owner And if it is created in wp-config.php file, it is really hard to detect and is very harmful as through a backdoor in this file, anyone who entered can take complete control over your website.
The wp-includes folder:
The wp-content directory, is a core WordPress installation folder, and hackers may use it to upload their backdoor. Like other installations, this folder primarily contains php files.
The antivirus software can do a great deal to detect malware, however, it does not have a way to “differentiate” between the malicious files and the files you may upload into a cloud. Even if infected files have the same name as normal files, the antivirus software can still alert users on a file-by-file basis about the possible threats.
Here’s a way to detect and remove backdoors from hacked WordPress blogs
A hack of a WordPress site is an illegal way to get unauthorized access to a website without being discovered. The reason might range from a vulnerable plugin to an old version of the website’s software. Even when everything has been cleaned-up and the update cycle has restarted several times, hackers can use their maliciousness to breach the website.
Until and unless you close all backdoors, your website will stay vulnerable to future hacks. In order to protect your website, you first must learn how to detect back doors.
For many people, the back doors are disguised in front of them in the form of a file, such as a WordPress file. You need to look for files that don’t normally form part of your WordPress installation.
A file that doesn’t belong to a WordPress application is most likely from a compromised server. You may also find rogue files in the uploads folder and these will need to be removed.
Images, videos, and files placed in the uploads folder for media files; therefore, there should be no.php upload files present in the uploads folder. If you find a.php file there, then please remove it from there.
Now that we know where they could probably be found, we can begin doing detections to locate the back door quickly, so if you’d like to know how to detect a backdoor, read on.
Detecting Backdoors
As you can see, there are some ways to go about finding them. These include:
• Whitelisting – We know what the good files look like. It would be useful if the people in our team can know the core files of WordPress, Joomla, osCommerce, Wiki, etc, etc in good quality. This set of files is used as a core. The set is commonly known as “Whitelist.” When we can verify it, we can guarantee to our customers that the website is safe.
• A list containing information about potential backdoors in PHP, the programming language that powers most websites, can be found. Websites that lack a blacklist won’t be exposed to these threats, but they’ll be vulnerable to threats if they’re using an
• In the anomaly check, we check to see if a normal file that should not be in those directories or files is missing. These anomalies often times look very similar to a backdoor.
Insurance for Your Website
We believe that this combined package is essentially insurance for your website.
You probably insure your laptop, your mobile phone, and even the chair you’re sitting on is probably insured somewhere. And yet you haven’t insured the tool that brings you business, that magnetically attracts leads, and in the case of Ecommerce businesses, actually pays you your income.
Isn’t it time you did?