To identify potential backdoors, check your files for these PHP functions:

base64
exec
move_uploaded_file
str_rot13
gzuncompress
eval
stripslashes
system
assert
preg_replace (with /e/)

Use the following SSH command to detect any hacked files located within your directories:

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

The following command will locate image files with backdoor functions:

find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Lastly, use the command below to locate infected iframes:

find . -type f -name '*.php'| grep -i '<iframe'