A backdoor attack in WordPress involves injecting hidden malicious code into the site, enabling attackers to gain unauthorized access and control. This allows them to bypass standard security measures and maintain control even after the primary vulnerability is fixed.

wordpress backdoor attack

WordPress Backdoor Attack

dastek logo

Issue

    • A malware has been detected which modifies project files and injects suspicious code.
    • Hacking name: Backdoor Script (This program/script provides remote access to the computer it is installed on).
    • As a result, the website appears as a Japanese website, visible to every user visiting our site with everything changed.

Analysis

    • This malware might have been introduced into the project for multiple reasons:
      1. Allowing file editing via wp-dashboard.
      2. PHP execution in the wp-content folder and its subfolders.
    • This malware created .htaccess and scripts in every folder so that the hacker can execute other language scripts (e.g., Python) in folders.
    • In general, this malware makes API calls to get data which is used to show a different website.

Steps taken to make the website live

    • Downloaded the project on a local machine.
    • Scanned the whole project with antivirus and removed the main backdoor file.
    • Searched for every suspicious .htaccess file and removed them.
    • Searched for malicious code saved as images and removed them.
    • Searched for different types of patterns of PHP scripts (which call APIs and modify the website) used by the hacker to find similar files injected into the project and remove them.
    • Reverted any database changes done by malicious scripts.
    • Reverted core files index.php, wp-config.php, main .htaccess.
    • Remove malicious files with similar names like wp-crom.php, wp-blog-heaber.php, etc.

Precautionary steps taken

    • To prevent backdoor attacks:
      1. Updated .htaccess files with the following code
        <Files *.php>

            deny from all

        </Files>

               2. Updated wp-config.php with the following code:
                  define(‘DISALLOW_FILE_EDIT’, true);

 

    • Updated plugins and themes and set important plugins for auto-updates.
    • Ran WordPress Toolkit (present in Plesk) to prevent executing other language scripts in wp-content & wp-admin folder.
    • Updated the database prefix to hide DB details from the previous attack.

Trust and Worth

Our Customers

We are having a diversified portfolio and serving customers in the domains namely Sports Management, Online Laundry System, Matrimonial, US Mortgage, EdTech and so on.

cyber-security-solutions logo
happynest logo
eua logo
EZ-Service-Trax logo
JARO logo
fraudnet logo
TVFit logo
homeaddress logo
DietitionCentral logo
thebackpackerlist logo
fecund logo
optimusinfo logo
paladem logo
Trident-Leasing Logo
cadeucus logo
Casino Schedule Ease logo

Would you like to start a project with us?

DAStek team would be happy to hear from you and would love to turn your ‘Imaginations to Reality’.

Let's Collaborate!