Remove Akismet Backdoor

TL;DR

A backdoor has been found in some versions of the Akismet wordpress plugin. This guide shows you how to check for and remove it, and secure your site.

Step-by-step Guide

1. Check Your Akismet Version: The vulnerability affects versions 4.1.3 and earlier. Log into your WordPress admin area.
   • Go to ‘Plugins’ > ‘Installed Plugins’.
   • Find Akismet Anti-Spam in the list.
   • Check the version number. If it’s 4.1.3 or lower, you need to update immediately.
2. Update Akismet: The easiest way to fix this is to update to the latest version.
   • From the ‘Plugins’ page, if an update is available, click ‘Update Now’.
   • Alternatively, go to ‘Dashboard’ > ‘Updates Available’. If Akismet is listed, update it.
3. Scan for Malicious Files (if updated): Even after updating, scan your site files as a precaution.
   • Using a Security Plugin: Plugins like Wordfence or Sucuri Security have built-in malware scanners. Install and activate one of these plugins, then run a full site scan.
     Example (Wordfence): After installation, go to ‘Security’ > ‘Scan’ and start a Standard Scan.
   • Manual File Check: If you don’t want to use a plugin, check for the malicious code in these files:
     • wp-includes/plugin.php
     • wp-admin/includes/file.php
4. Remove Malicious Code (if found): If the scan finds malicious code, you’ll need to remove it.
   • Using a Security Plugin: Most security plugins will offer an option to clean or quarantine infected files. Follow the plugin’s instructions.
     Example (Wordfence): The scan results page will show you which files are infected and provide options to Clean, Quarantine, or Delete them.
   • Manual Removal (advanced users only!): This is risky if you’re not comfortable editing code.
     • Access your site files via FTP or a file manager in your hosting control panel.
     • Edit the identified files (wp-includes/plugin.php and wp-admin/includes/file.php).
     • Look for code similar to this (the exact code may vary):

     • Carefully delete only that specific block of code. Be extremely cautious not to remove any legitimate WordPress code.
5. Check .htaccess File: The backdoor might have added malicious rules to your .htaccess file.
   • Access your site files via FTP or a file manager.
   • Locate the .htaccess file in your website’s root directory.
   • Edit the file and look for any unusual code, especially lines related to base64 encoding or redirection.
     Example: Look for anything that looks like this:

     RewriteEngine On
     RewriteRule ^(.*)$ index.php [L]

   • If you find suspicious entries, remove them. Back up your .htaccess file before making any changes!
6. Change WordPress Credentials: As a precaution, change the passwords for all WordPress user accounts, especially administrator accounts.
7. Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA for your WordPress accounts. Many security plugins offer this feature.
   Example (Wordfence): Go to ‘Security’ > ‘Login Security’ and enable Two-Factor Authentication.
8. Keep WordPress, Themes, and Plugins Updated: Regularly update WordPress core, themes, and all plugins to patch security vulnerabilities.