WordPress Security Hardening After a Compromise

Overview

When a WordPress site is compromised — especially through a plugin backdoor or uploaded web shell — simply removing the malicious file is rarely enough. Attackers often plant multiple backdoors, create hidden admin accounts, and exploit other vulnerabilities to regain access.

This guide walks you through the full recovery and hardening process so your site is clean, secured, and significantly more resilient against future attacks.

Important: Partial fixes lead to re-infection. This pattern (repeat compromise via plugin backdoor / web shell) is one of the most common support ticket types. Following all steps in this guide — not just the immediate cleanup — is the best way to prevent re-infection within days or weeks.

Before You Start

Take a Full Backup

Even a compromised site should be backed up before you make any changes. This preserves evidence and gives you a restore point if something goes wrong during cleanup.

• Use your hosting control panel (cPanel/DirectAdmin/Enhance) to create a full backup — files and database
• Or use a plugin like UpdraftPlus or Duplicator if you can still access WP Admin
• Store the backup off-server (local machine or cloud storage)

Put the Site in Maintenance Mode

To prevent visitors from reaching a potentially infected site while you work:

1. Log into WP Admin
2. Install and activate the "Maintenance" plugin (or add a simple .htaccess rule to block public access)
3. Keep maintenance mode on until all steps are complete

Step 1 — Remove Backdoor Files and Web Shells

Backdoor files are scripts left by attackers that allow them to re-enter your site at any time. Web shells (PHP files with names like wp-config2.php, .ico.php, or files hidden in upload directories) are the most common form.

Option A — Wordfence Plugin (Recommended)

• Install Wordfence Security from the WordPress plugin directory
• Run a Full Scan from Wordfence > Scan
• Review results — pay close attention to "Unknown files in WordPress core" and "Files contain malicious code"
• Use Wordfence's "Delete All Deletable Files" option for confirmed malware

Option B — Manual Scan via SSH / cPanel File Manager

Look for recently modified or suspicious files:

# Find PHP files modified in the last 7 days
find /path/to/wordpress -name '*.php' -mtime -7

# Find files with common backdoor strings
grep -r 'eval(base64_decode' /path/to/wordpress --include='*.php'
grep -r 'system($_GET' /path/to/wordpress --include='*.php'
grep -r 'passthru' /path/to/wordpress --include='*.php'

Any file containing eval(base64_decode, system($_REQUEST, or passthru with user-controlled input should be treated as a backdoor and deleted immediately.

Common Backdoor Locations

• wp-content/uploads/ — PHP files should never exist here
• wp-content/themes/[theme-name]/ — especially in inactive or old themes
• wp-content/plugins/ — especially in plugins you do not recognise
• Root directory — watch for extra PHP files or .htaccess injections
• wp-includes/ — core files should match the official WordPress release

Tip: After removing files, verify WordPress core integrity using Wordfence's core file check, or by downloading a fresh copy of WordPress and comparing it against your installation.

Step 2 — Update All Plugins and Themes

The majority of WordPress compromises originate from outdated or vulnerable plugins. After cleaning up backdoors, ensure everything is up to date before bringing the site back online.

1. Go to Dashboard > Updates
2. Update all plugins, themes, and WordPress core
3. If a plugin has no update available and was the known attack vector, remove it and find a maintained alternative

Remove Abandoned or Unnecessary Plugins

Every plugin you don't actively need is a potential attack surface:

• Deactivate and delete any plugin that hasn't been updated in over 12 months
• Remove plugins you are not actively using
• Check the WordPress.org plugin page for each plugin — if it has been "closed" or removed, stop using it

Step 3 — Remove WP File Manager (and Similar High-Risk Plugins)

WP File Manager (elFinder) and similar file management plugins have been the source of several major WordPress compromise campaigns. These plugins provide web-based file system access and, if unpatched or misconfigured, can be exploited remotely.

Security Notice: CVE-2020-25213 — a critical vulnerability in WP File Manager (versions < 6.9) allowed unauthenticated attackers to upload and execute arbitrary PHP files. Sites running this plugin were mass-compromised within hours of the vulnerability being published.

Recommendation: Remove WP File Manager entirely. If file management is required, use your hosting provider's built-in file manager (cPanel File Manager) or SFTP with a dedicated client instead.

How to Remove WP File Manager

1. Go to Plugins > Installed Plugins in WP Admin
2. Deactivate WP File Manager
3. Click Delete
4. If you cannot access WP Admin, use cPanel File Manager or SFTP to manually delete: wp-content/plugins/wp-file-manager/

Step 4 — Review and Audit Admin Users

Attackers frequently create hidden or obfuscated administrator accounts to maintain persistent access even after malicious files are removed. This step is critical and often overlooked.

Review Admin Users in WP Admin

1. Go to Users > All Users
2. Filter by Role: Administrator
3. Look for accounts you do not recognise — pay attention to:
   • Generic or random usernames (e.g. admin2, user_9182, wp_admin_bk)
   • Recently created accounts (check the "Registered" date column)
   • Accounts with unknown or suspicious email addresses
4. Delete any accounts that are unrecognised or unauthorised

Check the Database Directly (Advanced)

Attackers sometimes insert admin users directly into the database to bypass WP Admin visibility. Check using phpMyAdmin or WP-CLI:

# List all WordPress admin users via WP-CLI
wp user list --role=administrator

# Or query the database directly
SELECT user_login, user_email, user_registered FROM wp_users;
SELECT user_id, meta_value FROM wp_usermeta WHERE meta_key = 'wp_capabilities';

Reset All Passwords

Even for legitimate admin accounts, reset all passwords as a precaution — your credentials may have been exfiltrated:

• Go to Users > All Users, click each admin user, and set a new strong password
• Use a password manager to generate a unique, random password (minimum 20 characters)
• Change the database user password in wp-config.php and in your hosting control panel

Step 5 — Enable Two-Factor Authentication (2FA)

Enabling 2FA is one of the highest-impact security improvements you can make. Even if an attacker obtains a password through a future breach, they cannot log in without the second factor.

Recommended Plugins

• WP 2FA — Simple setup, supports TOTP apps (Google Authenticator, Authy). Free.
• Wordfence Login Security — Included with Wordfence; supports TOTP + reCAPTCHA. Free.
• Duo Two-Factor Authentication — Enterprise-grade; push notifications and hardware tokens. Free up to 10 users.

Enabling 2FA with WP 2FA

1. Install and activate WP 2FA from the plugin directory
2. Go to Users > Your Profile and scroll to Two-Factor Authentication
3. Follow the setup wizard — scan the QR code with your authenticator app
4. Save backup codes in a secure location
5. Enforce 2FA for all administrators: WP 2FA > Policies > Require 2FA for Administrators

Additional Hardening Measures

Restrict WP Admin Access by IP

If you access WP Admin from a known, fixed IP address, you can block all other IPs from reaching the login page. Add the following to your .htaccess file inside the wp-admin/ directory:

order deny,allow
deny from all
allow from YOUR.IP.ADDRESS.HERE

Disable File Editing in WP Admin

By default, WordPress allows admins to edit plugin and theme files in the browser — a major risk if an admin account is compromised. Disable this in wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

Change the Default Login URL

Moving the login page from /wp-login.php to a custom URL reduces automated brute-force attacks. Use a plugin such as WPS Hide Login to do this without editing core files.

Implement a Web Application Firewall (WAF)

• Cloudflare (free tier) provides basic WAF protection and rate limiting
• Wordfence includes a WAF that blocks common attack patterns before they reach WordPress
• Sucuri offers a cloud-based WAF with CDN integration

Set Correct File Permissions

# Directories
find /path/to/wordpress -type d -exec chmod 755 {} \;

# Files
find /path/to/wordpress -type f -exec chmod 644 {} \;

# wp-config.php (most sensitive file)
chmod 600 wp-config.php

Verification Checklist

Before taking the site out of maintenance mode, confirm all of the following:

• Full malware scan completed with no remaining threats
• All backdoor / web shell files deleted
• WP File Manager (or similar high-risk plugins) removed
• All plugins, themes, and WordPress core updated
• Unused plugins and themes removed
• All admin user accounts reviewed; unauthorised accounts deleted
• All admin passwords reset
• cPanel/DirectAdmin account password changed to secure, random passwords
• Your hosting account login password changed to secure, random passwords
• Database user password changed
• Two-factor authentication enabled for all admin accounts
• File editing disabled in wp-config.php
• File permissions reviewed and corrected
• Security scan re-run — clean result confirmed

When to Escalate to Support

This guide covers the most common self-service recovery scenarios. Please open a support ticket if:

• You are unable to access WP Admin or your hosting control panel
• Malware persists after following all steps in this guide
• You suspect the compromise extends beyond WordPress (e.g. server-level access)
• Your hosting provider has suspended your account due to malware
• You need help with a custom or complex WordPress configuration

Tip: When opening a ticket, please include your list of active plugins, any error messages, and the results of your Wordfence scan. This significantly speeds up our investigation.