Permanent Re-Entry Point Elimination
You've cleaned the malware twice. It keeps coming back. Backdoors are why.
Malware is the issue. The backdoor is the disease. Attackers install hidden re-entry mechanisms so they can return after you clean up. Until every backdoor is found and destroyed, cleaning the visible malware is temporary.
Why Your Site Keeps Getting Hacked After Cleanup
You ran the security plugin. It found malware. You cleaned it. Three days later, the site is infected again. This cycle is not bad luck, it is the intended behavior of a sophisticated attack.
When an attacker gains access to your WordPress site, they install secondary access mechanisms, backdoors, in locations that typical cleanup processes don't inspect. These allow them to re-deploy malware automatically, whether or not the original vulnerability has been patched.
Cleaning malware without finding the backdoor is like changing your lock after a break-in without realizing the attacker left a window unlatched.
What Typical Cleanups Miss
Most cleanup services focus on the obvious infection: injected scripts in theme files, spam links in post content. What they typically don't check:
- Encoded PHP files hidden inside the `/uploads/` directory (which most scanners whitelist) - Malicious WordPress cron jobs scheduled to re-deploy malware at a set interval - Rogue admin accounts added at the database level, invisible in the WordPress UI - `eval(base64_decode())` payloads embedded in otherwise legitimate plugin files - PHP files masquerading as image files in non-standard directories
Backdoors survive because they're designed to be invisible to the tools people use to find them.
The Full Backdoor Extermination Process
- **Non-standard directory sweep:** We inspect every directory for PHP execution scripts that shouldn't exist, including the uploads folder.
Non-standard directory sweep
We inspect every directory for PHP execution scripts that shouldn't exist, including the uploads folder.
Encoded payload detection
We scan for `eval`, `base64_decode`, `gzinflate`, and other encoding functions used to obfuscate malicious code.
Cron job audit
We review the WordPress cron schedule and server-level cron jobs for attacker-added automated tasks.
Database-level user audit
We query the users table directly, bypassing wp-admin, to find hidden admin accounts.
htaccess and wp-config review
We check for redirect rules and execution hooks added by attackers.
7-day post-cleanup monitoring
We confirm no reinfection before closing the engagement.
Post-Mortem Report
Case Study: The Cron Job That Reinfected Every 48 Hours
Want results like this? Get a free audit and see what we can fix in 24 hours.
Get a Free AuditCommon questions
Questions answered.
How do I know if my site has a backdoor?
The most reliable indicator is reinfection after cleanup. Other signs: unexplained admin accounts, PHP files in the uploads directory, unusual cron entries. A manual audit is the only way to be certain.
Can a backdoor survive a full site restore from backup?
Yes, if the backdoor was already present in the backup. We inspect backups for backdoor presence before recommending a restore.
Will updating all my plugins prevent backdoors?
Updating closes the entry points. But existing backdoor files remain regardless of plugin updates, they must be manually removed.
Request WordPress Support.
Whether you need emergency help or ongoing maintenance, submit your website details below. Our WordPress experts will review and respond within 4 hours.