I am inspecting a Wordpress web site for a client and I have found that some backdoor were present in the webroot folder.
Now I have to understand how the attacker did that reviewing the source code that the client provides to me.
What are the ways with which an attacker could upload a backdoor? On what part of code should I focus?
Don't take this as an insult, but the fact you don't know where to start is a hindrance. Consider the following: You audit the code to smithereens only to find out someone ssh'd in and put the backdoor in the webroot folder. Then what? You've wasted time.
Your best bet is to try to determine when this happened via log analysis, which is likely going to reveal which plugin, or wordpress vulnerability was exploited. To do this, I would issue an ls -ltha on the file itself to get a timestamp (hoping someone didn't modify this). Once I got that time stamp, I would then go through the webserver's access and error logs for that time frame, I would parse out the name of the application, and so forth.
My hunch tells me someone exploited a vulnerable plugin, or version of wordpress in which case, the time spent wasted on analyzing code would be used more productively on updates, and securing the system.
As for how the backdoor may have been uploaded, this is broad. Until you determine whether or not it was uploaded BECAUSE of wordpress you are playing a guessing game. How do you know someone didn't brute force the server (ssh) and then upload it? ... Analyze the log files for the server first.
