WordPress Backdoor Vulnerability

Has anyone ever faced backdoor vulnerability in their WordPress website? We have been facing an issue where hacker is able to successfully inject google ads on our website. We found the malicious code twice but it just keep reoccurring. We already have Sucuri subscription but they are useless in this case. Any kind of help would be appreciated. Thanks in advance 🙏

7 Comments
  1. Your site has a vulnerability – and in almost all cases this is caused by an old or out of date plugin or theme.

    First step, install Wordfence and run a scan. Report back with the results.

  2. If you found it and it keeps coming back then you didn’t really find the backdoor. You found an injected script. Totally different.

    If you have access to shell I’ll show you what to run to find it, let me know

  3. As others have said, it’s always an out of date or abandoned theme or plugin, or a password that has been leaked or is so simple that it is susceptible to brute force (automated guessing) attacks.

    If this happened to me or a client these are some of the things I would do, probably not in this exact order though.

    Update everything. Delete all unnecessary plugins. Look at the database tables with phpMyAdmin or whatever tool your host allows and compare the number of users to the number of users in wp_users table to the number that show up in the back end of your database, you’re looking for a user that was created outside of the wordpress system (although word fence scan should detect that. if you have more than one admin user, temporarily change all of them but you to subscriber, or better yet delete them all and re-add them once you’re locked in. In your wordfence settings, have it immediately lock out unknown users for a day. Change your password. Change the database password on your host and don’t forget to change the wp-config.php to reflect that. While you’re in there (wp-config.php) generate new authentication keys. Have Wordfence set to email you any time a admin user logs in. Check your site regularly to establish an approximate time when the scripts get injected, compare that to to your access logs to see if you can glean anything that matches that approximate time. Don’t forget to account for time difference where you are and what the server is set to.

    Wordfence scan isn’t telling you anything? Export all your posts and view them in a text editor and look for anything suspicious.

    Delete and reinstall all your plugins and themes. Warning about this, if they are well designed they should give you the option or by default delete any data in associated with the plugin from the database. When you go to reinstall them you’ll have readjust those settings.

  4. I worked with a team that had several sites compromised and we were able to get to the bottom of the issue. There are a few steps around user credentials and file permissions that you’ll want to look into. If you want to throw around some Q&A on it just DM me and glad to lend a free hand as it was pretty stressful.

  5. 1. Put your site in maintenance mode.
    2. Update all themes and plugins.
    3. Remove all unnecessary stuff (deactivated plugins, themes except the default)
    4.Re-run the security test and remove scripts that you already found earlier.
    5. 9 WordPress core files.
    6. Check file permissions.

    If it still persists, two possible reasons:
    1. One of your sites in the same hosting account is impacting.
    2. The malware is in your database.

    For both of them, you would need an expert to dig in.

 

This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer