Website keeps getting hacked: how to find the backdoor

If you have already cleaned the site and a day or a week later it is infected again, the cause is almost always the same: you removed the symptom but did not close the way in. A backdoor was left behind, a hidden script through which the infection returns automatically. While it lives, cleaning is pointless: the code is re-uploaded through the same route. Below: what a backdoor is, where it hides, how to find it, and how to close the way in so the site stops getting hacked.

Contents
  1. Why it keeps happening
  2. Check your site now
  3. What a backdoor is
  4. How to find it
  5. Why the antivirus misses it
  6. How to close the way in
  7. Joomla or WordPress
  8. When to call a specialist

Why the site keeps getting hacked

A repeat hack is not bad luck, it is a pattern. The cause is always that the previous cleanup was incomplete:

  • The visible infection (a redirect, spam pages) was removed, but not the mechanism that creates it.
  • A backdoor was left behind: a file or a snippet of code that gives the attacker access bypassing the password.
  • The vulnerability used to get in the first time was never closed, so they can get in again.

Removing the infection and closing the way in are two different jobs. Without the second, the site is hacked again the same way, often the same day.

Check your site right now

The tool opens your site from the outside the way a search engine and a mobile visitor see it. An active infection, a redirect and cloaking show up at once, along with an outdated CMS version, which is usually the way in. No access to the site is required.

I check: defacement, mobile redirect, cloaking, the CMS version and whether it is up to date.

Checking the site from the outside...

What a backdoor is and where it hides

A backdoor is a hidden entry point left behind after a hack. It is hard to find because it disguises itself. The typical places:

  • A web shell: a separate .php file with a random name in the uploads, media or cache folder.
  • An insert in a legitimate file: a single line in index.php, functions.php or a template file, often via eval(base64_decode(...)).
  • A fake image file: a .php disguised as an image or an icon.
  • In the database: code in template parameters or records that runs when the page loads.
  • A cron job: restores deleted files on a schedule.
  • A rogue administrator in the CMS or a new owner in Search Console.

How to find the backdoor

The order that actually finds the hidden entry:

  1. Compare the files with a known-clean copy of the CMS: anything extra is suspect.
  2. Sort files by modification date: infected ones usually changed at the same time.
  3. Search the code for suspicious functions: eval, base64_decode, gzinflate, assert, preg_replace with the e modifier.
  4. Check folders where no .php should be: uploads, images, media.
  5. Check cron jobs and the list of CMS administrators.
  6. In the database, check template parameters and service records for foreign code.

Why the hosting antivirus does not find it

A very common trap: the host says "all clean" while the site keeps getting hacked. There are two reasons. First, the antivirus looks for files by known signatures, while the backdoor is either obfuscated (encrypted) or looks like legitimate code. Second, part of the mechanism sits in the database or in a cron job, not in the files. The files really are clean, and the scanner honestly reports that.

So "the host said everything is fine" does not mean the backdoor is gone. You have to check obfuscated code, the database and cron too, not just file signatures.

How to close the way in for good

To stop the site being hacked, removing the backdoor is not enough. You have to close the door itself:

  • Find the entry point in the server logs: which extension or vulnerability let them in.
  • Update the CMS and all extensions to supported versions, remove unused ones.
  • Change every password and key: admin, FTP and SSH, database, hosting panel, CMS secret keys.
  • Confirm no other backdoors or cron jobs remain.
  • Restrict access to the admin area, enable basic protection and set up clean backups.

If the site is on Joomla or WordPress

Joomla. Joomla 3 is especially exposed: no security updates since 17 August 2023. Attackers get in through extensions (JCE, SP Page Builder) or the Helix3 framework, and hide the backdoor in the media folder or in template parameters in the database. Without moving to version 5 or 6 the site gets reinfected.

WordPress. Check the wp-content folder (the mu-plugins directory, the uploads folder for .php), the wp-config.php file, the active theme functions.php and the wp_options table. The way in is usually a neglected or vulnerable plugin.

When to call a specialist

It is worth calling in a specialist if:

  • you have already cleaned the site two or more times and the infection returns;
  • the backdoor cannot be found while the site keeps getting hacked;
  • the code is obfuscated or sits in the database, and the hosting antivirus stays silent;
  • the host suspended the account for malware;
  • there is no working clean backup.

I find and remove backdoors on any CMS and close the entry point so the site stops getting hacked, rather than just cleaning the symptom. Diagnostics are free. I work with site owners from Ukraine and Poland, and with Russian speakers across the EU. I do not work with legal entities registered in Russia: that is an EU sanctions restriction.

Details and request

Frequently asked questions

I removed the malware and a day later it came back. Why?

Because a backdoor or a cron job was left behind that re-uploads the code, and the vulnerability used to get in was never closed. Removing the infection and closing the way in are different jobs. Without the second, the site is reinfected the same way.

What is a backdoor in plain words?

It is a hidden door left behind after a hack. Through it the attacker gets in bypassing the password and reinfects the site. A backdoor disguises itself as an ordinary file or hides in the database, which is why it is hard to find by hand.

The hosting antivirus finds nothing. Does that mean there is no backdoor?

No. The antivirus looks by signatures, while a backdoor is usually obfuscated or looks like legitimate code, and part of the mechanism may be in the database or in cron. A silent scanner does not prove the site is clean.

Can I just roll back to a backup?

Only if the backup is known-clean and you know the infection date. Often the backdoor was uploaded weeks before the hack was noticed, so the backup already contains it. And a rollback does not close the vulnerability, so the site gets reinfected.

How do I find out how they got into the site?

From the server logs: they show which request and which file preceded the infection appearing. Usually it is a vulnerable extension or an outdated CMS. Without closing that entry point, the site will keep getting hacked.

Telegram