Ask Sucuri: How Do You Find Website Backdoors?

  • Last Updated: November 12, 2025
How Do You Find Website Backdoors

A website backdoor is malicious code injected into a website to allow unauthorized access. These hidden entry points can give attackers full control over your site, making them extremely dangerous. Today, we want to focus on the essential ways that we identify and remove backdoors to prevent reinfection and keep your site safe for the long term.

Techniques to Find Backdoors

Finding a website backdoor is not an easy task because the main function of a backdoor is to keep it hidden from the website owner. However, at Sucuri we recommend the following techniques:

Whitelisting

We know what good files look like. One of the ways to identify a legitimate file is its checksum – a numerical signature of the file that can be compared to known good files. We favor strong integrity algorithms (e.g., SHA‑256) and verified sources of truth for checksums (official vendor APIs/releases), rather than weaker hashes alone.

For example, we can compare the individual website to the official core files of main content management systems (CMSs), like WordPress, Joomla, Magento, Drupal, and others. We also have the checksum for most plugins, modules, extensions, and themes.

Using this whitelisting technique, we can tell right away if any of the core files were modified or if a new one was added. This way, we can safely ignore the good files, which eliminates a significant part of the work.

Blacklisting

Sucuri has always been committed to research and progression. We maintain an evolving list with thousands of backdoors and their variations. If you’re interested, you can even browse the malware entries and malware signatures in our Labs Notes.

Blacklisting these malicious signatures blocks them from executing on client websites and makes sure that they are quickly detected. Keep in mind, blocking execution requires an enforcement point (e.g., WAF rules or server‑side controls). Blacklisting complements behavioral/contextual analysis; it is not a substitute for it.

Anomaly Checks

When a file is not in our whitelist of core files and not in our blacklist signatures of malicious files, we do our anomaly checks.

We analyze all the functions/variables and manually inspect them to see if they are backdoors. From there, we flag them for investigation if we can’t verify that the file is good. Our professional security analysts can investigate further in the case of a new or very complex backdoor.

When we find a new backdoor, we update our blacklists and correlation engines to catch them in the future. If after analyzing the functions and variables we find out that they are not harmful, we add them to our whitelist.

Prevention

You can take some actions to protect your website from the initial infection:

  • Keep all your software updated: Enable automatic or scheduled security updates where safe, and patch known vulnerabilities promptly.
  • Keep an eye open for any kind of strange files: Especially files with typos. Also watch for recently modified files in writable paths, hidden files, and double‑extension uploads (e.g., .png.php).
  • Use strong and different passwords: A Enable two‑factor authentication (2FA) for admin accounts and disable password reuse.
  • Use a Website Application Firewall: A WAF acts as an unseen virtual filter for potential hacks and attacks. They provide virtual patching and reduce exploit success, but it does not remove existing backdoors and is not a replacement for updates and hardening.
  • Install the free Sucuri scanner to monitor and audit your site.
  • Block PHP execution in upload directories and remove unused plugins/themes.
  • Apply least‑privilege filesystem permissions/ownership: 640/644 for files, 750/755 for directories) and avoid 777 permissions.
  • Further harden WordPress by disabling the built‑in file editor, limiting login attempts, and restricting access to /wp-admin where feasible.
  • Maintain version‑controlled deployments and file integrity monitoring (FIM), and keep offline, tested backups with regular restore drills.

Tips to Cleaning a Compromised Website

If you are trying to clean a compromised site by yourself, we have some recommendations. First, replace all the files you can (core files, plugins, etc) with known good ones. Then manually analyze custom files that cannot be overwritten to ensure your website is clean.

It is critical that all backdoors are closed to successfully clean a hack, otherwise your site will be reinfected quickly.

We have written a guide to give you more instructions on how to clean a hacked website.

Conclusion

Finding a website backdoor can be very challenging. We combine whitelisting and blacklisting techniques with our own manual analysis to find all the backdoors in a website.

Sucuri is dedicated to providing solutions, whether you want to clean up a website yourself by following our free guides or have us do it for you.

Chat with Sucuri

Juliana Laraburu is Sucuri’s Marketing Content Manager who joined the company in 2015. Juliana’s main responsibilities include managing projects, keyword research, and drafting blog posts and landing pages. Her professional experience covers over five years of creating website security content. When Juliana isn’t working on Sucuri’s blog, you might find her traveling around the world or hanging out with her family. Connect with Juliana on Twitter.

Related Tags
Related Categories
You May Also Like