Hidden WordPress Backdoors Found Creating Admin Accounts

Security researchers have uncovered two backdoors planted on compromised WordPress websites that were ultimately designed to generate administrator accounts. The intrusion also helped attackers maintain long-term access even after the web admins tried to clean up, Sucuri researchers explained.

Disguised as Legitimate Files 

The first backdoor, *DebugMaster Pro*, sounds like a professional debugging tool. However, its code is built to create hidden administrator users with hardcoded credentials that will also secretly transmit stolen data to a command-and-control server.

It also uses various methods to avoid detection. For example, the plugin removed itself from WordPress plugin listings, and only if the web administrator used filters could they reveal the new admin account. 

The second threat, *wp-user.php*, looked simpler – but appearances are deceiving. Its script could automatically create a user with administrator privileges. If the site owner deletes the newly created account, the backdoor immediately recreates it on the next execution. 

How the Backdoors Operated 

Once the backdoors were in place, the fake plugin generated new administrator accounts and exfiltrated credentials, including usernames, passwords, and the servers' IP addresses. This data was encoded in JSON, obfuscated with base64, and sent to an external command and control server. 

Additionally, the malware injected external scripts into compromised websites. These scripts were loaded for all visitors, with the exception of administrators or whitelisted IPs, which allowed attackers to serve malicious payloads or monitor user activity. 

On the other hand, *wp-user.php* ensured persistence by enforcing the presence of a specific administrator account. Even if administrators changed the password or deleted the account, the script restored it.

Signs of Compromise 

WordPress site owners need to look out for: 

• Unrecognized plugins or suspicious files such as DebugMaster.php or wp-user.php.
• Unexpected administrator accounts.
• Deleted accounts reappearing after removal.

 Recommended Protection 

To recover from this type of compromise, security researchers advise the following: 

• Remove malicious files: Delete DebugMaster and wp-user.php.
• Audit users: Remove the hardcoded "help" administrator account and other suspicious entries.
• Reset credentials: Change all WordPress, FTP, hosting, and database passwords.
• Update software: Patch WordPress, plugins, and themes to the latest versions.
• Monitor outgoing traffic: Track server logs for connections to unknown domains.