Identifying website backdoors is not always an easy task. Since a backdoors primary function is to conceal itself while providing unauthorized access, they are often developed using a variety of techniques that can make it challenging to detect.
For example, an attacker can inject a single line of code containing less than 130 characters into a website file. While this may not seem like a lot of code, this short string can be used to load PHP web shells on your website at the attacker’s whim — while also preventing website visitors and administrators from detecting the malicious behavior.
Source: Scuri check