WordPress Backdoor & Shell Scanner
After a WordPress site is compromised, attackers plant backdoors to maintain access even after you change passwords. These are usually PHP files with names like wp-info.php or hidden inside plugin folders, and they respond to secret POST requests with file management, command execution, or database access. wp-scan.org detects the code patterns used in these shells regardless of filename.
What wp-scan.org detects
- ✓ PHP shells using system(), exec(), passthru(), or shell_exec()
- ✓ Backdoors triggered by secret POST parameter checks
- ✓ Base64/gzip-encoded payloads that decode at runtime
- ✓ assert() and preg_replace() /e modifier code execution
- ✓ File manager capabilities hidden in WordPress files
- ✓ C99, r57, WSO and other known web shell code signatures
Scan your WordPress files now — free
Want to see what a Premium report looks like?
View a real scan with line numbers, fix guides, and secure code for every finding.
Common questions
Common signs: Google flags your site, your host suspends the account, visitors get redirected, or you find unfamiliar PHP files with obfuscated content. wp-scan.org will find the code patterns even if the filename looks innocent.
Backdoors don't need your password. They're PHP files the attacker can call directly with a browser. Changing passwords doesn't remove them — you need to find and delete the malicious files.
1) Take the site offline, 2) Replace all core WordPress files from a fresh download, 3) Audit every theme and plugin file, 4) Change all passwords and revoke all API keys, 5) Check your database for injected admin accounts.
See exact line numbers and fix guides for every finding
Upgrade to Premium — from $9.99/mo →