First up, a list of the files you need to check through manually, looking for modifications and suspicious code, database calls, etc, along with a brief description of common angles of attack used by hackers, scripts, and other potential intruders.
wp-config.php
This file contains sensitive information, including database credentials. Unauthorized access to this file can lead to a complete compromise of your WordPress site. Essentially, this is your WordPress installation’s master key.
functions.php
Hackers often target this file as it allows them to inject malicious code into theme functions, enabling them to execute arbitrary commands.
wp-login.php
Brute force attacks often target the login page to gain unauthorized access to the admin area. Consider implementing additional security measures, such as limiting login attempts and using two-factor authentication.
wp-includes/class-wp-xmlrpc-server.php
XML-RPC can be exploited for DDoS attacks and other malicious activities. If not needed, consider disabling XML-RPC functionality altogether.
wp-includes/load.php
This file is a critical part of the actual WordPress core. Modifications to it can lead to various security issues, making it a potential target for hackers.
wp-admin/admin-ajax.php
While this file is essential for many WordPress functionalities, it can be targeted for denial-of-service attacks or to exploit vulnerabilities in plugins that use AJAX.
wp-admin/admin.php
Hackers frequently attempt to compromise this file to gain control over the administration area of your WordPress site.
wp-includes/template-loader.php
Since this file is responsible for loading various templates, modifying it can lead to the execution of unauthorized code.
wp-includes/pluggable.php
This file contains core functions related to user authentication. Unauthorized access can lead to the compromise of and control over user accounts.
wp-includes/version.php
Though it may seem innocuous, this file contains the WordPress version number. Outdated versions may have known vulnerabilities, making this file a target for attackers seeking outdated installations.
.htaccess
The .htaccess file is used to configure and control the server’s behavior, including URL redirects, security settings, and other server-level directives.
Things to Watch Out for when Manually Checking WordPress Files
Here’s a brief breakdown of common things you need to be on the lookout for, when examining your WordPress installation for signs of tampering or malicious intrusion:
Unusual File Modifications
Examine your WordPress core files for any unauthorized modifications. Check for recently modified files or changes to files that shouldn’t have been altered in the first place.
Unexpected File Additions
Look for files that you didn’t create or recognize as a common part of a WordPress installation. Pay attention to new files in crucial directories like wp-content/themes and wp-content/plugins.
Encoded or Obfuscated Code
Search for encoded or obfuscated code within files. Malicious actors often use encoding to hide their activities. More of this in a moment.
Strange File Extensions
Be cautious of files with unusual or non-standard extensions. Scripts may disguise themselves with deceptive file extensions.
Unfamiliar Functions
Review PHP files for unfamiliar functions, especially those commonly used in malicious scripts. Look for functions like “eval,” “base64_decode,” or “gzinflate.” For example, base64_decode is usually a sure sign that someone or something has tried to bury malicious content through encoding.
Injected JavaScript
Check for injected JavaScript code in your files. Look for suspicious script tags, especially in files where they shouldn’t be present.
Phishing Code
Look for code that might be attempting phishing attacks. Search for URLs that mimic legitimate websites or contain known phishing keywords.
Backdoor Code
Inspect for backdoor code that allows unauthorized access. Check for code that creates hidden admin accounts or modifies user roles.
Malicious Redirects
Search for code that initiates unauthorized redirects. Pay particular attention to any changes in the .htaccess file that could redirect users to unknown or malicious third-party sites.
Database Manipulation
Check for unauthorized changes to your database. Look for new tables, entries, or modifications to existing data.
Unexplained Network Requests
Monitor for suspicious network requests or connections from your site. Identify any unexpected external links or requests, and manually check them.
Spammy Content Injection
Look for injected spam content in your pages or posts. Check for hidden links or text. For example, visit a suspect page, hold the CTRL key, then press A, to highlight all that page’s content. Hidden text or links will frequently be revealed by this simple approach.
File Size Anomalies
Compare file sizes to the original files. Abnormally large files might contain encoded or compressed malicious payloads. The simplest way to accomplish this is to load a clean WordPress installation onto a subdomain or into a subdirectory, and then compare its file sizes to the compromised site’s
Unused or Deprecated Themes/Plugins
Review unused or deprecated themes and plugins for potential security vulnerabilities.
Remove any that are not in use. In fact, removing unused themes and plugins should be part of your site’s regular maintenance, and not be left until it’s too late.
Unexpected File Permissions
Check file and directory permissions.
Unauthorized write permissions may indicate a security risk. For example, most of the above files should be set to Permissions: 644
This setting grants read and write permissions for the owner, and read-only for others, allowing the server to execute the file while preventing unauthorized modifications. If you’re really paranoid, set permissions on your wp-config.php file to 440, since this will form an additional line of defense for database credentials, etc.
Conversely, if you find any of the above files, or indeed ANY FILES AT ALL which have their permissions set to 777, 647, or basically anything ending in 7, something is hideously amiss.
Hint: That last digit controls the “Public” file permissions, and if it’s set to “7” it means that any user on the server is able to modify, read, or execute the file, compromising sensitive database credentials.
Search for Known Malware Signatures
Utilize online malware databases or antivirus tools to scan for known malware signatures in your files. Here again, security plugins like Wordfence can be a massive help in the process.
Lastly, bear in mind that the information given on this page is hardly exhaustive. The hacking/malware landscape is constantly shifting and evolving, with new threats and vulnerabilities emerging on an almost daily basis. I will try to keep the information in this tutorial as up-to-date as possible, but I would always advise you to conduct your own research on top of the base given herein.
Back to the Hacked Site Recovery Guide
