I Found a Hidden “Backdoor” in a Client’s WordPress Site
If you own a WordPress website, you probably worry about security. You should.
Recently, a client came to me because their website was acting strange. It wasn’t completely broken, but something felt “off.” They asked me to take a look. What I found was a perfect example of how modern hackers hide inside your website files without you even noticing.
I wanted to share this discovery to show you what malware looks like and why you need a professional to keep your site clean.
The Discovery: Innocent Looking Files
When I logged into the client’s file manager (hosted on DreamHost), I navigated to the /wp-content/ folder. This is where your themes and uploads live.
At first glance, everything looked normal. But then I saw three files that didn’t belong there:
- fa.php
- fazel.php
- trigger.txt
To a regular person, fa.php might look like a font file (like FontAwesome), and trigger.txt looks harmless. But for a developer, these files in this specific location are a massive red flag.
Analyzing the Malware: How It Works
I opened the code to see what it was doing. I won’t bore you with complex technical jargon yet, but here is what this script does in plain English.
The hacker created what we call a “Loader” or a “Dropper.” Think of this malware like a remote-controlled lock on your front door. The hacker doesn’t live in your house, but they have a key that lets them in whenever they want.
1. The “Fetcher”
The code contains a function called geturlsinfo. Its job is to go out to the internet and download instructions from a specific URL. In this case, the malware was trying to download a hacking tool from a GitHub page to gain control over the server.
2. The “Trigger”
The malware uses the trigger.txt file as an On/Off switch. The code checks if the text file has the word “active” inside it. If it does, the virus runs. If you try to delete the virus but forget the trigger file, it can sometimes be used to restart the infection.
3. The “Execution” (The Dangerous Part)
The scariest line in the code is this one:
eval('?>' . $a);In simple terms, this command tells your website: “Whatever code you just downloaded from the hacker’s URL, run it immediately as if it were part of the website.”
Technical Breakdown: Anatomy of the “Alfa” Dropper
For the tech-savvy business owners or developers reading this, I want to explain exactly why this specific script is so dangerous. It wasn’t just a random bug; it was a sophisticated tool designed to bypass standard security firewalls.
Here is what the code was actually doing behind the scenes:
1. It Mimics a Real Human (Evasion Tactics)
Most basic security firewalls block automated bots. The hacker knew this. Inside the code, I found this line:
CURLOPT_USERAGENT, "Mozilla/5.0..."This forces the malware to pretend it is a legitimate Firefox browser running on Windows. To a security log, the malicious connection looks just like a regular person browsing the web, allowing it to slip past basic defenses.
2. It Has “Backup Plans” (Resilience)
Malware developers know that every server is configured differently. This script uses a “Polyfill” technique. It checks for three different ways to connect to the internet:
- Method A:
curl_exec(The preferred method) - Method B:
file_get_contents(If A fails) - Method C:
fopen(If B fails)
This ensures that no matter how strictly your server is locked down, the virus tries every possible door to download its payload.
3. The Payload: The “Alfa” Web Shell
The script was trying to fetch a file named alfa.txt. In the cybersecurity world, “Alfa” is a notorious Web Shell.
Once this shell is loaded via the eval() command, it creates a visual interface for the hacker. Imagine Windows Explorer, but for your website files. It gives them the power to edit your configuration files, steal database passwords, and bypass the WordPress login screen entirely.
How I Fixed It (And How I Can Help You)
Cleaning a hacked site isn’t just about clicking “delete” on the bad files. If you don’t fix the hole they used to get in, they will just come back tomorrow.
Here is the process I used to secure this client’s site:
- Code Analysis: I identified the malicious logic to understand exactly what the hacker was trying to do.
- Cleanup: I safely removed
fa.php,fazel.php, andtrigger.txt, and cleaned up the core WordPress files they had tampered with. - Backdoor Sweep: I scanned the rest of the database and folders to ensure they didn’t leave other “keys” hidden elsewhere.
- Patching: I updated all plugins and the WordPress core to close the security holes.
Is Your Website Safe?
Most business owners don’t know they are hacked until it is too late—when Google blacklists their site or their host shuts them down.
Don’t wait for a disaster.
If you see strange files in your hosting panel, or if your site is running slow, let me take a look. I offer professional WordPress security and maintenance services to keep your business safe.
