Backdoor

Who this is for: WordPress site owners and freelancers who manage client sites and want to understand how attackers maintain persistent access after a hack.

A backdoor is a hidden entry point in a WordPress site that lets an attacker access or control the site without valid credentials. Unlike a brute-force attack that needs a password, a backdoor bypasses authentication entirely — often surviving a password reset, plugin removal, or even a theme reinstall.

Affiliate disclosure: Some links on this page are affiliate links. We may earn a commission at no extra cost to you.

What a WordPress Backdoor Actually Does

A backdoor gives an attacker persistent, unauthorized access to a site — usually at the server or file-system level. In our experience reviewing compromised client sites, backdoors almost always outlive the initial vulnerability that let the attacker in. The attacker fixes the entry point to prevent other attackers from using it, then leaves their own hidden door open.

Common forms include: a PHP file disguised as a WordPress core file, a malicious function injected into functions.php, or an obfuscated script buried inside an image upload directory. As of 2026, the wp-content/uploads/ folder is the most common hiding spot we see on hacked shared-hosting accounts — because that directory is typically writable and rarely scanned.

How Backdoors Get Installed on WordPress Sites

Backdoors reach a site through an initial vulnerability — a nulled plugin, an unpatched theme, weak credentials, or an exploited PHP file. Once inside, the attacker drops a PHP shell or injects eval-based code that executes arbitrary commands sent via HTTP requests.

We see this pattern on client sites regularly: the site gets cleaned, passwords get changed, but the backdoor file in /uploads/2023/06/image_cache.php stays untouched because it looked like a media file. The attacker returns weeks later, finds the door still open, and reinfects the site.

Wordfence’s threat intelligence data shows that backdoor-related infections account for a significant share of WordPress reinfections — precisely because cleanups that miss the hidden file fail within days.

How to Detect a Backdoor

Standard plugin scans catch many backdoors, but not all. Tools like MalCare and Sucuri SiteCheck scan file signatures and compare against known clean WordPress core files. MalCare’s deep-scan approach checks file contents, not just filenames — which matters because attackers routinely rename malicious files to mimic WordPress internals.

A manual check worth running: compare your wp-includes/ and wp-admin/ directories against the official checksums available at WordPress.org release archives. Any file present in your install but absent from the official package is a red flag.

How to Remove a Backdoor

Removing a backdoor without professional help is possible but risky — one missed file means reinfection. The reliable path for non-developers: use a managed malware removal service like Sucuri ($199 per cleanup) or MalCare’s auto-clean feature. Both include a post-removal hardening step that closes the configuration gaps that enabled the initial compromise.

After any cleanup, rotate all credentials: WordPress admin passwords, database password, FTP/SSH credentials, and your hosting control panel. A backdoor that exfiltrated credentials before removal makes the new passwords critical.

Malware — malicious software category that includes backdoors, trojans, and injected scripts
File Permissions — server-level controls that limit which files can be written or executed
WordPress Security Hardening — configuration steps that reduce attack surface after a clean install
Nulled Plugins — pirated premium plugins that commonly ship with pre-installed backdoors
Two-Factor Authentication — login protection that reduces credential-based entry points

Additional Reading

Last verified: April 2026