Array / 7 min read

WordPress backdoors: what they are and how to protect your site

WordPress backdoors are one of the most common and persistent security vulnerabilities for websites using the most popular CMS. That’s because attackers can exploit many website components to inject malware and retain remote access to your site.

This article will explore backdoors, how they work, what attackers can gain from them, and how to protect your site from backdoor access. Let’s get into it.

What are WordPress backdoors?

WordPress logo

Backdoors are malicious software (malware) attackers use to gain unauthorized access to a website, operating system, or computer network while remaining undetected. Their malware often allows them to bypass standard security protocols and user credentials to quietly gain the targeted system’s remote command & control (C&C or C2).

Commonly, attackers gain backdoor access by exploiting flaws in plugins, themes, or WordPress core security, then planting malware somewhere in the website’s folders to retain indefinite unauthorized access.

Backdoor attacks are common security issues in WordPress. According to Sucuri’s 2021 security report, at least one backdoor malware was present in 60% of the infected websites they cleaned up with their SiteCheck tool.

How do attackers get backdoor access to WordPress?

There are various ways attackers get backdoor access. One of the most common is exploiting benign backdoors that plugin and theme developers leave on their software.

Sometimes developers create backdoors to bypass their security measures when troubleshooting or resolving issues for their users. Bad actors like hackers may manipulate this built-in code to access a WordPress website.

Other common tactics hackers use to gain backdoor access include the following:

  • Creating hidden admin users: admin users can make website changes and grant similar licenses to other users. Attackers can simply create a new admin user hidden from all others by gaining access to an admin account through brute force attacks or some other hacking method. This way, they can access the website through normal channels without raising suspicion.
  • Tricking admins into providing access: attackers sometimes email team members inside the website’s network to bypass firewalls. These emails contain malware that gives the attacker access to the website.
  • Plating malicious PHP code in your WordPress installation: attackers may upload a malicious PHP file to a directory admins are unlikely to check manually, such as the media uploads folder once they have access. With these files, they can manage your website remotely without your permission.

Attackers use many more techniques to gain backdoor access and constantly evolve. Still, these are some of the most common you should be aware of.

What do attackers gain from backdoor access to WordPress sites?

Attackers can gain a lot by establishing backdoor access. Some of the most common motivations and objectives are:

  • Redirecting your site to an external site by adding spam links and pages.
  • Gaining hidden admin access, they can exploit for long periods before being detected.
  • Spying on user activity and collecting their personal information.
  • Sending spam emails using the website’s email accounts. These may allow them to spread even more malware to other sites.
  • Degrading the website’s performance.
  • Locking out other website users.

How to avoid backdoor access to your WordPress site?

Macbook showing the Dashboard of a WordPress admin

Explore core directories and perform a backdoor scan

Some of the most common directories and files where attackers place their malware software include the following:

  • WP-Themes folder: attackers may target older or unused themes that are vulnerable and not checked often by admins.
  • WP-Plugins folder: unused and outdated plugins are also vulnerable to malware injection. This is especially true for poorly-coded plugins that leave openings for attackers.
  • Uploads folder: the uploads folder contains dozens to thousands of media files used on your site. It’s also writable, and admins have no reason to check on it. Admins just upload files, and they sort themselves out. This is a good place for a clever attacker to plant malware. Sometimes, the malware itself may be an image file, complicating detection even more.
  • Wp-includes folder: attackers may upload malicious PHP files with harmless-looking names like “wp-user.php” (similar to “user.php,” a normal installation file) and others like that. They avoid detection by giving malware names that blend with other normal files.
  • wp-config.php file: attackers may introduce malicious code within this file, normally used to communicate with the WordPress database. The only way to detect it would be to know PHP, inspect the file, recognize the out-of-place code, and delete it.

Manually checking through files takes a long time, and the process is prone to human error. This is why backdoors are often so hard to find.

Explore malware scanner plugins and other security services for your WordPress site. It’s the best way to protect your site from backdoors and other forms of malware. MalCare, iThemes Security, and Bulletproof Security are popular options.

Consider deleting the .htaccess file.

The “.htaccess” file will be in your WordPress site’s root directory, but only if your web host uses Apache servers. The .htaccess file is not present in Microsoft or Nginx servers. Its function is to contain various settings for how the server should run.

Some attackers may modify this file to redirect your site to another one. With the proper permissions, you can delete this file (and the malware inside it), and it will regenerate immediately.

Avoid vulnerable and unmaintained plugins and themes.

Code screen

As explained above, plugins and themes often contain vulnerabilities that allow attackers to inject malware that facilitates backdoor access. The best way to prevent these is by deleting unused plugins and themes. The malware will disappear with the other plugin or theme files.

Remember to update the ones you regularly use constantly. New vulnerabilities are frequently discovered and patched, so stay on top of your updates to avoid them.

Update WordPress’s core installation

The WordPress core is maintained by expert developers who understand common vulnerabilities and create countermeasures. Keeping your core and PHP versions updated is a fundamental security measure.

Always remember to make a backup before you update.

Use strong, unique passwords.

Since attackers may establish backdoors by hacking admin accounts, enforcing strong, unique passwords across team members is a great way to minimize successful hacks. Some of the measures you can take to maintain stronger passwords across accounts include the following:

  • Use long (12-20 characters) complex passwords that combine upper and lowercase letters, numbers, and special symbols, such as “*” and “/.”
  • Create rules for the words used in passwords. For example, you can demand that words be truncated halfway or that vowels are removed (“honey” turns into “hny”) to avoid using predictable letter combinations.
  • Avoid common, everyday words and predictable patterns, such as a common word followed by four numbers.
  • Don’t use “a” or “1” as the password’s first character.
  • Use unique passwords for all accounts associated with your WordPress site. No duplicates, ever.
  • Consider using a password manager to keep up with all these complex, unique passwords.

Limit login attempts to your site.

Secure Login screen

By default, WordPress allows infinite failed login attempts, so a hacker can keep trying to crack your passwords until they succeed. Explore plugins that temporarily prevent IP addresses from trying to access your admin dashboard if they fail a certain amount of times in a row (like 3, 5, or 10 times).

In line with the last point, this measure will slow down or prevent attempts at using brute force to crack admin credentials.


WordPress backdoors are very prevalent in its ecosystem. Many security vulnerabilities can lead to an injection of malware, and there are many otherwise benign-looking places where attackers may hide it.

With the information in this article, you know some of the most common malicious techniques attackers use to gain backdoor access. Follow these recommendations, and your WordPress site will be much safer from them.

If you found this article helpful, read our blog for more WordPress guides, tips, and tricks.