You cleaned the malware — and it came back. That’s a backdoor: hidden code that gives attackers a way back in regardless of password changes, so it silently rebuilds the redirect, spam, or skimmer you just removed. We hunt down every backdoor across your files, database, cron jobs, and server access, and close the door for good.
Last updated: June 2026 · Reviewed by the FixHackedWordPress malware response team
Signs You Have One
Fix-First, Pay-Later Guarantee
We find and remove every backdoor first. If we can’t, you pay nothing.
Quick Answer
A backdoor is hidden code an attacker leaves behind so they can regain control of your WordPress site at any time — bypassing your login entirely. It’s not a symptom you see; it’s the persistence layer that makes every other infection come back. Remove a redirect, spam, or skimmer but miss the backdoor, and it quietly reinstalls the payload within days. That’s why “I cleaned it and it returned” almost always means a backdoor was left in place.
Modern campaigns plant several backdoors at once — a web shell, a hidden admin, a database copy, a cron job, an SSH key — specifically so a partial cleanup fails. Real eradication means auditing every layer: files, database, scheduled tasks, plugins, user accounts, and server-level access. This is the page the rest of our services point to when malware keeps returning.
Persistence
The layer that causes reinfection
Multi-layer
Often several backdoors at once
File + DB + server
We audit all three, not just files
$0
If we can’t fix it
Know The Enemy
“Backdoor” isn’t one thing — it’s a family of persistence tricks, each designed to survive a different kind of cleanup. Miss one and the infection regenerates.
| Backdoor type | What it does | Where it hides |
|---|---|---|
| Web shell | A PHP file that runs any command the attacker sends | wp-content/uploads, core folders, fake images |
| Code injection | Obfuscated eval(base64_decode(...)) that re-adds payloads | wp-config.php, functions.php, core files |
| Must-use / fake plugin | Auto-runs on every load, never shows in the plugin list | mu-plugins, plugins named to look legit |
| Rogue admin user | A hidden account for walking straight back in | wp_users (e.g. adminbackup, wp-core) |
| Database backdoor | A copy of the payload that re-deploys after file cleanup | wp_options records, autoloaded data |
| Cron & server access | Re-injects on a schedule or bypasses WordPress entirely | cron jobs, SSH authorized_keys, .bashrc/.profile |
Advanced campaigns combine several of these — sometimes half a dozen layers — so removing one just leaves the others to rebuild. That’s the trap behind most “it keeps coming back” stories.
Backdoors are built specifically to defeat the most common DIY removal steps. Here’s where they win — and why “delete the bad file” rarely ends it.
…but a web shell or SSH key doesn’t need your password. The attacker still has direct access and re-infects at will.
…but a copy of the backdoor lives in the database or a cron job, and re-writes those files minutes later — sometimes before you even finish.
…but the vulnerability is still open, or the backup itself already contained the backdoor, so the loop just restarts.
…but security plugins operate inside WordPress and often miss server-level cron jobs, SSH keys, and heavily obfuscated shells.
…but campaigns plant several backdoors at once. Removing one of six leaves five to quietly rebuild the rest.
…but a second hidden admin, or a backdoor that recreates users, puts the attacker right back in control.
Methodology
We treat the site as fully compromised and audit every layer an attacker can persist in — not just the obvious files.
We scan files, the database, cron jobs, plugins, and user accounts, compare core files against clean WordPress, and flag every shell, injection, and obfuscated payload — over SSH, not just inside wp-admin.
We eliminate web shells, code injections, fake/mu-plugins, database backdoors, malicious cron jobs, and rogue SSH keys in one pass — so nothing is left to rebuild the others.
We remove rogue admins, reset all credentials, rotate keys and salts, and revoke any unauthorized SSH or Search Console access so old footholds are dead.
We fix the vulnerability that allowed the first break-in, disable file editing, lock down uploads and login, and confirm the reinfection loop is broken.
Simple Pricing
No tiers, no upsells. One price to find and remove every backdoor.
$75 flat, to start
Full backdoor sweep and reinfection fix — one site.
Fix-first, pay-later · you only pay once it’s clean
Because a backdoor is rebuilding it. The visible malware is the payload; the backdoor is the hidden access that re-deploys it. Until every backdoor — and the original vulnerability — is removed, the cycle repeats.
Often not. Web shells, SSH keys, cron jobs, and database backdoors don’t rely on your password, so the attacker keeps access even after a reset. Those have to be found and removed directly.
Not reliably. Plugins run inside WordPress and frequently miss server-level persistence like cron jobs and SSH keys, and they can miss heavily obfuscated shells. A thorough audit needs server (SSH) access, which is part of our process.
Yes. If any infection regenerates after cleanup, a backdoor is the cause. We’ll remove the backdoors here and clean the specific payload too — whether it’s a redirect, SEO spam, or a skimmer.
Most backdoor sweeps are completed within 4–12 hours depending on how many layers are present. It’s a flat $75 to start, fix-first and pay-later — you only pay once the reinfection loop is broken. Contact us to begin.
As long as a single backdoor remains, your site will keep getting re-hacked. We find every layer, revoke every foothold, and patch the way in — and if we can’t, you pay absolutely nothing.
Flat $75 · Fix-first, pay-later